For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Glenn_32974's avatar
Glenn_32974
Icon for Nimbostratus rankNimbostratus
Jul 09, 2013

DNSSEC DS record upload -HOWTO- ??

Hello Folks

 

 

I'm setting up a DNSSEC environment using RHEL server with BIND as my primary/master DNS server and delegating (via CNAMES) intelligent resolution( through wide-ips) to my GTM box.

 

 

I have set one zone (3gnetworks.cr.) with standard records (SOA, NS, A) BUT i have not done any DNSSEC setup at the server level.

 

 

I already went through the whole process on configuring DNSSEC on my GTM box so if i query directly the GTM ( 192.168.20.253) for the wide-ip configured on the box works as expected!

 

 

[glenn@MyDNS ~]$ dig @192.168.20.253 misubasta.3gnetworks.cr +dnssec

 

 

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @192.168.20.253 misubasta.3gnetworks.cr +dnssec

 

; (1 server found)

 

;; global options: printcmd

 

;; Got answer:

 

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2837

 

;; flags: qr aa rd ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

 

 

;; OPT PSEUDOSECTION:

 

; EDNS: version: 0, flags: do; udp: 2048

 

;; QUESTION SECTION:

 

;misubasta.3gnetworks.cr. IN A

 

 

;; ANSWER SECTION:

 

misubasta.3gnetworks.cr. 30 IN A 192.168.20.6

 

misubasta.3gnetworks.cr. 30 IN RRSIG A 7 3 30 20130716080024 20130709080023 54335 3gnetworks.cr. TNElaYQLSBBRaWBtZmp4r0s1C+KHmMB4vAJivA+biXewUr6ToEXLD6xL PKQxvPDByJA85OkltII1lrfw49B0EDs9ZEYGrDQUr8D/U5VWvv5+ZQYw EmR4icuSeHedw+8bNECvMFtCa4ZC38ANUCO0ZfVq3KmOuJjZYF3WNqKL Wmo=

 

 

++++++++++++++++++++end of output++++++++++++++++++++++++++++++++++++++

 

 

 

 

BUT if I query my primary DNS server (192.168.20.250)

 

 

[glenn@MyDNS ~]$ dig @192.168.20.250 misubasta.3gnetworks.cr +dnssec

 

 

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @192.168.20.250 misubasta.3gnetworks.cr +dnssec

 

; (1 server found)

 

;; global options: printcmd

 

;; Got answer:

 

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64191

 

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

 

 

;; OPT PSEUDOSECTION:

 

; EDNS: version: 0, flags: do; udp: 4096

 

;; QUESTION SECTION:

 

;misubasta.3gnetworks.cr. IN A

 

 

;; ANSWER SECTION:

 

misubasta.3gnetworks.cr. 38400 IN CNAME wideip.misubasta.3gnetworks.cr.

 

wideip.misubasta.3gnetworks.cr. 30 IN A 192.168.20.6

 

 

;; AUTHORITY SECTION:

 

wideip.misubasta.3gnetworks.cr. 38400 IN NS gtm2.wideip.misubasta.3gnetworks.cr.

 

wideip.misubasta.3gnetworks.cr. 38400 IN NS gtm1.wideip.misubasta.3gnetworks.cr.

 

 

I dont get the RRSIG Record for misubasta.3gnetworks.cr

 

 

 

 

What I think Im missing is the DS record I need to upload from my GTM to my parent zone ( in this case 3gnetworks.cr)

 

 

 

if I take a look at the DSSET file i can see the DS record

 

 

[root@malpais:Active:Standalone] config cat /config/gtm/dsset-3gnetworks.cr

 

3gnetworks.cr. 86400 IN DS 9921 7 1 1936bf2f16e3569dd55d756e3ff4b82998882f5b

 

{key = /Common/3gKSK, gen = 1}

 

 

 

 

 

 

MY QUESTION WOULD BE:

 

 

How to upload the DS record to my BIND server to establish the chain of trust?

 

 

Thanks in advanced folks!!!

 

 

config
design