DNSSEC verification of signed responses was included in the DNS client in LoadMaster firmware version 7.1.34.

DNSSEC digital signing (2K key) support for DNS responses was added to the GSLB LoadMaster in firmware version 7.2.37.

DNSSEC helps protect against cache poisoning using a set of extensions that provide origin authentication of DNS data, data integrity and authenticated denial of existence. DNSSEC provides a mechanism to sign requests and prove the validity of records in a given zone and does this through a process called zone signing.

DNSSEC adds four new resource record types:

  • Resource Record Signature (RRSIG)
  • DNS Public Key (DNSKEY)
  • Delegation Signer (DS)
  • Next Secure (NSEC)

These resource record types are described in RFC 4034.

There are also two new DNS header flags, which are:

  • Checking Disabled (CD)
  • Authenticated Data (AD)

Before configuring DNSSEC, a zone must be defined. You can configure the zone settings in the Global Balancing > Miscellaneous Params screen of the WUI. For further details on the Miscellaneous Params screen, refer to the GEO Miscellaneous Params section. A zone is a single unique part of a DNS namespace hierarchy that serves as the authoritative source for information about a select set of DNS domain names.

To group FQDNs within a zone, the FQDN must be the sub-domain of the zone. Otherwise, each FQDN defines a zone.

To define a zone, go to Global Balancing > Miscellaneous Params and specify a Zone Name.

To enable DNSSEC in the LoadMaster, follow the steps below:

  1. Go to Global Balancing > Configure DNSSEC to configure the DNSSEC options.

  2. You can either import the Key Signing Keys (KSKs), or generate them. To import them, click Import and browse to and select the files. If generating, go to the next step.

    Note: A KSK is a type of DNSKEY that is used to sign the keys contained within a DNS zone and are leveraged to validate resolvers. The KSK also signs the Zone Signing Key (ZSK).
    Note:

    If you have GEO partners and want to use DNSSEC, you must generate the KSK files outside of the LoadMaster using the BIND dnssec-keygen command and import them onto each GEO partner separately, for example:

    dnssec-keygen -a RSASHA256 -f KSK -b 2048 -n ZONE <zone_name>

    Then, import the generated KSK files onto each GEO LoadMaster separately.

  3. If generating the KSKs, click Generate. Select the Algorithm and Key Size and click Generate.

  4. The KSK details are displayed.

  5. Select the Enable DNSSEC check box.

There is no user interface for ZSK files. A ZSK is used to generate Resource Record Signatures (RRSIG) for each set of resource records in a zone and sign these records. GEO creates the ZSK files automatically when DNSSEC is enabled. The same algorithm is used as specified for the KSK files. A key size of 1024 is used. If DNSSEC is disabled, the KSK files are deleted.