ADC

Use case: Configure the automatic DNSSEC key management on GSLB deployment

February 27, 2024

Contributed by:

B C

Perform the following steps to enable the auto rollover feature on a GSLB site. If you want a secondary DNS resolver and want to duplicate the DNS configuration and DNS keys, ensure to have the following configurations:

Basic GSLB sites
License for GSLB
Firewall policies

Note

Once the setup is completed, the main primary GSLB does the key rollover operations and synchronization to the subordinates’ sites.

In this example, we have used the following details:

Domain name: example.com
Origin Server: nameserver1.example.com
NameServer: nameserver2.example.com
Contact: admin.example.com
Keys: Key 1 for ZSK and Key 2 for KSK

Enable the gslbautomaticConfigSync and gslbsyncsaveConfig parameters.

At the command prompt, type:

set gslb parameter -automaticConfigSync enabled -gslbsyncsaveConfig enabled

 Warning: The Saveconfig command might not get applied to GSLB sites that are down during the sync operation, so it is recommended to apply saveconfig on the master node again when down GSLB site comes up.
Done
<!--NeedCopy-->

Enable DNS zone transfer in DNS parameters.

At the command prompt, type:
```
set dns parameter -zoneTransfer enABLED 
Done

```

Create SOA and NS record (name should be the same as zone name).

At the command prompt, type:

add dns soaRec example.com -originServer nameserver1.example.com -contact admin.example.com
Done
add dns nsrec example.com nameserver2.example.com
Done
<!--NeedCopy-->

Create a DNS zone record. Set Proxy mode as No for authoritative zones.
```
add dns zone example.com  -proxyMode no

```

Create DNS keys

Note:

The command creates three files in the system with the filename prefix: private, key, and ds.

create dns key -zoneName example.com -fileNamePrefix Key1.zsk -keytype zsk -keysize 1024 -algorithm rsASHA256
create dns key -zoneName example.com -fileNamePrefix Key2.ksk -keytype ksk -keysize 1024 -algorithm rsASHA256
<!--NeedCopy-->

Publish the keys in the zone.

Note:

Enable the automatic rollover option and specify the expiration date, along with the notification period. A warning message is displayed regarding the activation of the key.

add dns key Key1.zsk Key1.zsk.key Key1.zsk.private -autoRollover enABLED -expires 30 days -notificationPeriod 7 days -rolloverMethod doublesignature

Warning: The key should be in an activated state for rollover. Please use sign DNS zone operation to activate the key
Done

 add dns key Key2.ksk Key2.ksk.key Key2.ksk.private -autoRollover enABLED -expires 120 days -notificationPeriod 15 days -rolloverMethod doublerrSet

Warning: The key should be in an activated state for rollover. Please use sign DNS zone operation to activate the key
Done
<!--NeedCopy-->

Activate the key using the sign zone command.

sign dns zone example.com -keyName Key1.zsk Key2.ksk
<!--NeedCopy-->

Enable the auto-save key option in DNS parameters.

set dns parameter -autosaveKeyOps enabled
<!--NeedCopy-->

Run the show DNS key command. The show command lists the following details:

Key state - The state of an existing key.
Expiry date - The date when the current key expires.
Notification period - This parameter defines the number of days before the key expires that a notification should be sent. In case auto rollover is enabled, a successor key is created at this period before expiry.
Key Tag - Unique identifier for a key.
Automatic rollover status - The current state of the automatic rollover.
Rollover method - Rollover method for the specified key.

    show dns key

  1)    Key Name: test1.zsk    Key Tag: 33216   Key Type: ZSK
  Zone Name: test1.com   Key State: Activated
  Expires: 30 DAYS Notification: 7 DAYS   TTL: 5
  Automatic Rollover: ENABLED  Rollover Method: DoubleSignature
  Public Key File: test1.zsk.key
  Private Key File: test1.zsk.private
  Create Time: Wed Oct 11 04:30:40 2023
  Activation Time: Wed Oct 11 04:32:05 2023
  Deactivation Time: Fri Nov 10 04:31:05 2023
  Deletion Time: Fri Nov 10 04:33:05 2023
2)    Key Name: test1.ksk    Key Tag: 5554    Key Type: KSK
  Zone Name: test1.com   Key State: Activated
  Expires: 120 DAYS Notification: 15 DAYS  TTL: 5
  Automatic Rollover: ENABLED  Rollover Method: DoubleRRSet
  Public Key File: test1.ksk.key
  Private Key File: test1.ksk.private
  Create Time: Wed Oct 11 04:31:44 2023
  Activation Time: Wed Oct 11 04:32:05 2023
  Deactivation Time: Thu Feb  8 04:31:05 2024
  Deletion Time: Thu Feb  8 04:33:05 2024
Done
<!--NeedCopy-->

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Use case: Configure the automatic DNSSEC key management on GSLB deployment

February 27, 2024

Contributed by:

B C

February 27, 2024

Contributed by:

B C

Use case: Configure the automatic DNSSEC key management on GSLB deployment

In this article