Configure DNSSEC
- Last Updated: October 10, 2024
- 2 minute read
- LoadMaster
- LoadMaster GA
- Documentation
Before you can configure DNSSEC, a zone must be defined. To define a zone, go to Global Balancing > Miscellaneous Params and specify a Zone Name.
After the zone name is defined, the Key Signing Keys (KSKs) must be configured. You have two choices - you can either:
- Import the KSK files by clicking Import and browsing to the file locations.
- Generate the KSK files by clicking Generate
If you have GEO partners and want to use DNSSEC, you must generate the KSK files outside of the LoadMaster using the BIND dnssec-keygen command and import them onto each GEO partner separately, for example:
dnssec-keygen -a RSASHA256 -f KSK -b 2048 -n ZONE
<zone_name>Then, import the generated KSK files onto each GEO LoadMaster separately.
On the generate screen, select the cryptographic Algorithm and Key Size.
The following algorithms are supported:
- NSEC3RSASHA1
- RSASHA256
- RSASHA512
The default is RSASHA256.
The supported key sizes are 1024, 2048 and 4096 bits. The default is 2048.
After the KSK files have been generated/imported, the DNSSEC screen shows the KSK details and gives you an option to delete the KSK files.
The final step is to enable DNSSEC by selecting the check box.