For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

JustCooLpOOLe's avatar
JustCooLpOOLe
Icon for Cirrocumulus rankCirrocumulus
Jul 12, 2017

DNSSEC - Zone Signing and Key Signing Keys

I'm looking into using DNSSEC for our Wide-Ips. I've got the signing working for our UAT records but now I'm more interested in the best practices for the Zone Signing and Key Signing Keys as well a...
BIG-IP DNS
security
Leonardo_Souza's avatar
Leonardo_Souza
Icon for Cirrocumulus rankCirrocumulus
Jul 14, 2017

Have you read this link?

 

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-dns-services-implementations-13-0-0/6.html

 

I don't play with DNSSEC very often, but let me try answer the questions:

 

What is the function of the rollover period in relation to the expiration period?

 

Rollover period is when both keys are valid.

 

What is the best practice value for the rollover period?

 

The manual talks about 21 days.

 

What happens once the Expiration Period ends? Will I need to recreate the keys?

 

You should had already created a second key before that, during the rollover period, so that key should be valid.