Configuring BIG-IP for Zone Transfer and DNSSEC

This article is for organizations that use our F5 BIG-IP as their primary DNS. The guide consists of two parts. First, it shows you how to configure BIG-IP DNS to perform a zone transfer to a secondary DNS server. Second, it demonstrates how to enable DNSSEC (Domain Name System Security Extensions) on BIG-IP DNS.

Part 1: Configure BIG-IP DNS for Zone Transfer

This part of the article will focus on guiding you on how to set up BIG-IP for zone transfer. I assume at this point in time that you already have DNS records configured via Zone Runner. Having said that, let's proceed to set up BIG-IP for zone transfer to a secondary DNS, which in our case will be F5 Distributed Cloud DNS.

Step 1: Create a custom DNS Profile

  1. On the Main tab, click DNS > Delivery > Profiles. click Create.
  2. Type a Name for the custom DNS profile.
  3. Select 'dns' as the Parent Profile from which it will inherits settings.
  4. Under DNS Traffic area, Zone Transfer, select Enabled.
  5. Click Save & Close.

Step 2: Create a custom DNS Listener

  1. On the Main tab, click DNS > Delivery > Listeners, click Create.
  2. In the Name field, type a unique name for the listener.
  3. For the Destination setting, in the Address field, type an IPv4 address on which BIG-IP DNS listens for network traffic.
  4. In the Service area, from the Protocol list, select UDP.
  5. In the Service area, from the DNS Profile list, select the custom profile created on Step 1.
  6. Click Finished.
  7. Repeat steps 1-6 to create a TCP listener, but on step 4, select TCP.

Step 3: Generate a TSIG Key

  1. On BIG-IP DNS Command Line, enter the following in bash:

    tsig-keygen -a HMAC-SHA256 <tsig name>
    Example: 
    tsig-keygen -a HMAC-SHA256 example

  2. The output should be similar to this 

    key "example" {
            algorithm hmac-sha256;
            secret "UAHXLiErXSTXw84QcaeWk2jLnU0GYXGWBQ2IT+rtfCU=";
    };

Step 4: Configure TSIG Key 

In the BIG-IP GUI, go to DNS > Delivery > Keys > TSIG Key List, click Create.

Name: example
Algorithm: HMAC SHA-256
Secret: <paste the secret output generated from Step 3>

Step 5: Create Nameservers

  1. Go to DNS > Delivery > Nameservers > Nameserver List, click Create
  2. Create the following nameserver objects:

    Name: localbind, Address: 127.0.0.1, Service Port: 53
    Name: f5xcdns1, Address: 52.14.213.208, Service Port: 53,  TSIG Key: example
    Name: f5xcdns2, Address: 3.140.118.214, Service Port: 53,  TSIG Key: example

    The IP address details of F5XC to be used in Zone Transfers can be found here https://docs.cloud.f5.com/docs/reference/network-cloud-ref

Step 6: Create DNS Zone for Zone Transfer

  1. Go to DNS > Zones > Zones > Zones List, click Create.
  2. Fill the following details:

    Name: f5sg.com
    DNS Express :: Server: localbind
    Zone Transfer Clients :: Nameservers: Select f5xcdns1 & f5xcdns2
    TSIG :: Server Key: example

Step 7: Include TSIG in named.conf

  1. On BIG-IP command line, create and open a new file named tsig.key in the /var/named/config directory. For example, use vi editor to create a new file named tsig.key in the /var/named/config directory, enter the following command:

    vi /var/named/config/tsig.key

  2. To add the TSIG key, paste the following output we generated earlier: 

    key "example" {
            algorithm hmac-sha256;
            secret "UAHXLiErXSTXw84QcaeWk2jLnU0GYXGWBQ2IT+rtfCU=";
    };

  3. Save the tsig.key file.
  4. To create the necessary symbolic link to the tsig.key file in the /config directory, enter the following command: 

    ln -s /var/named/config/tsig.key /config/tsig.key

  5. To set the correct owner for the tsig.key file, enter the following command: 

    chown named:named /var/named/config/tsig.key

  6. Using a text editor, open the /var/named/config/named.conf file for editing. For example, to use vi editor to edit the /var/named/config/named.conf file, enter the following command: 

    vi /var/named/config/named.conf

  7. Add the following include statement to the top of the named.conf file, below the first two comments in the file: 

    include "/config/tsig.key";

  8. Save the file.

 

Step 8: Add the Secondary DNS (F5XC DNS) IP addresses in Zone Transfer allow list

  1. Using a text editor, open the /var/named/config/named.conf file for editing. For example, to use vi editor to edit the /var/named/config/named.conf file, enter the following command: 

    vi /var/named/config/named.conf

  2. Add the following acl statement at the bottom of the named.conf file (Note: The IP address details of F5XC to be used in Zone Transfers can be found here https://docs.cloud.f5.com/docs/reference/network-cloud-ref)

    acl "F5XC" {
        52.14.213.208/32;
        3.140.118.214/32;
    };

  3. Insert the following inside the allow-transfer block (this will allow F5XC to perform AXFR requests) 

    allow-transfer {
      localhost;
      F5XC;  <--- Add this line
    };

  4. Save the file

 

(Optional) Part 2: Configure a BIG-IP DNS Zone for DNSSEC

Assuming you already have a zone configured for DNS zone transfer and you want to enable DNSSEC on this zone, you can follow the steps below. The generated cryptographic keys for DNSSEC will be synced to the secondary DNS as part of the zone transfer.

Step 1: Create automatically-managed zone-signing keys (ZSK)

  1. On the Main tab, DNS > Delivery > Keys > DNSSEC Key List, click Create.
  2. In the Name field, type a name for the key (Zone names are limited to 63 characters)
  3. From the Type list, select Zone Signing Key.
  4. From the State list, select Enabled.
    **You can leave all other setting to default and click Finish on this point. But if you can also modify other settings based on your requirement
  5. Click Finished.

Step 2: Create automatically-managed zone-signing keys (KSK)

  1. On the Main tab, DNS > Delivery > Keys > DNSSEC Key List, click Create.
  2. In the Name field, type a name for the key (Zone names are limited to 63 characters)
  3. From the Type list, select Key Signing Key.
  4. From the State list, select Enabled.
    **You can leave all other setting to default and click Finish on this point. But if you can also modify other settings based on your requirement
  5. Click Finished.

Step 3: Creating a DNSSEC zone

  1. On the Main tab, click DNS > Zones > DNSSEC Zones, click Create.
  2. In the Name field, type a domain name.
    For example, use a zone name of f5sg.com to handle DNSSEC requests for www.f5sg.com and *.www.f5sg.com.
  3. From the State list, select Enabled.
  4. For the Zone Signing Key setting, assign at least one enabled zone-signing key to the zone.
    You can associate the same zone-signing key with multiple zones.
  5. For the Key Signing Key setting, assign at least one enabled key-signing key to the zone.
    You can associate the same key-signing key with multiple zones.
  6. Click Finished.

Step 4: Upload generated DS record to parent zone

Upload the DS records for this zone to the organization that manages the parent zone. The administrators of the parent zone sign the DS record with their own key and upload it to their zone. You can find the DS records in the Configuration utility.

Published Jun 17, 2024
Version 1.0
application delivery
BIG-IP DNS
dns
F5 Distributed Cloud DNS (F5 XC DNS)
No CommentsBe the first to comment