For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

JBonnet's avatar
JBonnet
Icon for Nimbostratus rankNimbostratus
Nov 30, 2022

F5 GTM Subdelegation

I am practicing sub delgeation exercise in the lab, in my DNS server I am delegating subdomain  wip.domain.com to the F5 devices, current zone file for domain.com:

$TTL    604800

@       IN      SOA     domain.com. admin.domain.com. (
                 57     ; Serial
                900     ; Refresh 15 mins
              86400     ; Retry
            2419200     ; Expire
             604800 )   ; Negative Cache TTL
;

; name servers - NS records
                        IN      NS      ns1.domain.com.
                        IN      NS      ns2.domain.com.
; name servers - A records

ns1.domain.com.         IN      A       192.168.242.200
ns2.domain.com.         IN      A       192.168.242.201

www.domain.com.       IN CNAME www.wip.domain.com.
wip.domain.com.       IN NS gtm1.wip.domain.com.
wip.domain.com.       IN NS gtm2.wip.domain.com.
gtm1.wip.domain.com.  IN      A       10.10.4.50
gtm2.wip.domain.com.  IN      A       172.16.14.50

In the F5 GTM device I created a wideip - www.wip.domain.com - this works returning the relevant A record.

Now I noticed when I created this, a zone was created in zonerunner "this.name.is.invalid"  which creates a default NS/SOA and A record (pointing to 127.0.0.1).

What is the correct process that must be done further? since any NS queries etc which are polled to the GTM respond with "this.name.is.invalid"

- should I update zonerunner with the subdomain zone records, I tried to do this from  https://support.f5.co/csp/article/K35603050 but adding a second nameserver in the zone failed  (gtm2.wip.domain.com).
- or should I create a primary/secondary nameserver on the GTM's for the subdomain?

Thank you in advance

application delivery
GTM SubDelegation

1 Reply

  • xuwen's avatar
    xuwen
    Icon for Cumulonimbus rankCumulonimbus
    Dec 02, 2022

    The existing SOA and NS records of the zone under the zonerunner will not be overwritten by the above operations. I recommend you to delete the wideip www.wip.domain.com and then delete zone wip.domain.com under zonerunner
    Finally, modify the SOA and NS record values of the zone automatically generated by wideip:
    modify gtm global-settings general wideip-zone-nameserver gtm2.wip.domain.com.
    After the above steps are completed, you can create a wideip www.wip.domain.com, and then observe the SOA and NS records whether change to gtm2.wip.domain.com.

    and create a another wideip www.test.com, and under the ZoneRunner zone test.com. 

    its NS and SOA will also be gtm2.wip.domain.com.

    Tips: low version in GTM, such as V12, wideip create zone default SOA and NS value is F5 hostname