ADC

Use case: Configure the automatic DNSSEC key management on GSLB deployment

Perform the following steps to enable the auto rollover feature on a GSLB site. If you want a secondary DNS resolver and want to duplicate the DNS configuration and DNS keys, ensure to have the following configurations:

  • Basic GSLB sites
  • License for GSLB
  • Firewall policies

Note

Once the setup is completed, the main primary GSLB does the key rollover operations and synchronization to the subordinates’ sites.

In this example, we have used the following details:

  • Domain name: example.com
  • Origin Server: nameserver1.example.com
  • NameServer: nameserver2.example.com
  • Contact: admin.example.com
  • Keys: Key 1 for ZSK and Key 2 for KSK
  1. Enable the gslbautomaticConfigSync and gslbsyncsaveConfig parameters.

    At the command prompt, type:

set gslb parameter -automaticConfigSync enabled -gslbsyncsaveConfig enabled Warning: The Saveconfig command might not get applied to GSLB sites that are down during the sync operation, so it is recommended to apply saveconfig on the master node again when down GSLB site comes up. Done
  1. Enable DNS zone transfer in DNS parameters.

    At the command prompt, type:

    set dns parameter -zoneTransfer enABLED Done
  2. Create SOA and NS record (name should be the same as zone name).

    At the command prompt, type:

    add dns soaRec example.com -originServer nameserver1.example.com -contact admin.example.com Done add dns nsrec example.com nameserver2.example.com Done
  3. Create a DNS zone record. Set Proxy mode as No for authoritative zones.

    add dns zone example.com -proxyMode no
  4. Create DNS keys

    Note:

    The command creates three files in the system with the filename prefix: private, key, and ds.

    create dns key -zoneName example.com -fileNamePrefix Key1.zsk -keytype zsk -keysize 1024 -algorithm rsASHA256 create dns key -zoneName example.com -fileNamePrefix Key2.ksk -keytype ksk -keysize 1024 -algorithm rsASHA256
  5. Publish the keys in the zone.

    Note:

    Enable the automatic rollover option and specify the expiration date, along with the notification period. A warning message is displayed regarding the activation of the key.

    add dns key Key1.zsk Key1.zsk.key Key1.zsk.private -autoRollover enABLED -expires 30 days -notificationPeriod 7 days -rolloverMethod doublesignature Warning: The key should be in an activated state for rollover. Please use sign DNS zone operation to activate the key Done add dns key Key2.ksk Key2.ksk.key Key2.ksk.private -autoRollover enABLED -expires 120 days -notificationPeriod 15 days -rolloverMethod doublerrSet Warning: The key should be in an activated state for rollover. Please use sign DNS zone operation to activate the key Done
  6. Activate the key using the sign zone command.

    sign dns zone example.com -keyName Key1.zsk Key2.ksk
  7. Enable the auto-save key option in DNS parameters.

    set dns parameter -autosaveKeyOps enabled
  8. Run the show DNS key command. The show command lists the following details:

    • Key state - The state of an existing key.
    • Expiry date - The date when the current key expires.
    • Notification period - This parameter defines the number of days before the key expires that a notification should be sent. In case auto rollover is enabled, a successor key is created at this period before expiry.
    • Key Tag - Unique identifier for a key.
    • Automatic rollover status - The current state of the automatic rollover.
    • Rollover method - Rollover method for the specified key.
    show dns key 1) Key Name: test1.zsk Key Tag: 33216 Key Type: ZSK Zone Name: test1.com Key State: Activated Expires: 30 DAYS Notification: 7 DAYS TTL: 5 Automatic Rollover: ENABLED Rollover Method: DoubleSignature Public Key File: test1.zsk.key Private Key File: test1.zsk.private Create Time: Wed Oct 11 04:30:40 2023 Activation Time: Wed Oct 11 04:32:05 2023 Deactivation Time: Fri Nov 10 04:31:05 2023 Deletion Time: Fri Nov 10 04:33:05 2023 2) Key Name: test1.ksk Key Tag: 5554 Key Type: KSK Zone Name: test1.com Key State: Activated Expires: 120 DAYS Notification: 15 DAYS TTL: 5 Automatic Rollover: ENABLED Rollover Method: DoubleRRSet Public Key File: test1.ksk.key Private Key File: test1.ksk.private Create Time: Wed Oct 11 04:31:44 2023 Activation Time: Wed Oct 11 04:32:05 2023 Deactivation Time: Thu Feb 8 04:31:05 2024 Deletion Time: Thu Feb 8 04:33:05 2024 Done
Use case: Configure the automatic DNSSEC key management on GSLB deployment