/cfg/slb/gslb/dnssec
GSLB DNSSEC Menu
The Domain Name System Security Extensions (DNSSEC) adds authentication security measurements to Alteon to defend the DNS protocol against known DNS threats. DNS digitally signs records for DNS lookup using public-key cryptography. The correct DNSKEY record is authenticated using a chain of trust, starting with a set of verified public keys for the DNS root zone, which is the trusted third party. When DNSSEC is used, each answer to a DNS lookup contains an RRSIG DNS record in addition to the requested record type. The RRSIG record is a digital signature of the DNS resource record set answer. The digital signature can be verified by locating the correct public key found in a DNSKEY record. The DNS record is used in the authentication of DNSKEYs in the lookup procedure using the chain of trust.
To enable the use of replacement keys, a key rollover procedure is used. New keys are rolled out in new DNSKEY records in addition to the existing old keys.
For authentication purposes, Alteon uses two different keys in DNSKEY records, with different DNSKEY records for each. Key Signing Keys (KSKs) are used to sign the Zone Signing Key (ZSKs) and are exported (publicly) to the parent DNS. ZSKs are used to sign the DNS resource records (RRs). Because the ZSKs are controlled and used by one specific DNS zone, they can be switched more easily and more frequently. RFC 4614 recommends changing ZSKs on a monthly basis, enabling them to be shorter in bit length (for example, 1024). The KSK validity period is usually one year, and needs a higher bit length (for example, 2048), making it harder to forge. When a new KSK is created, the delegation signer (DS) record must be transferred to the parent zone, and must be signed and published there.
When working with GSLB and DNSSEC enabled, the configuration of remote sites must be identical for all Alteons participating in the GSLB configuration (/cfg/slb/gslb/site x).
For GSLB sites to synchronize Alteon peers, the passphrase for Alteon synchronization must be enabled (/cfg/slb/sync/passphrs). Failing to set the passphrase generates an error message.
Note: Ensure that the time and date are configured correctly in the GSLB configuration for all Alteons. Radware recommends that you manually configure the time date using NTP.
[DNSSEC for Global SLB Menu] key - DNSSEC signing keys (ZSK/KSK) menu zonekey - DNS Zone name to DNSSEC KSK/ZSK association menu rolltm - Set automatic rollover Phase timer kskrollt - Set KSK Rollover Phase Timer nsec - Set NSEC answer type nsec3sln - Set NSEC3 salt length nsec3slt - Set NSEC3 salt lifetime nsec3hash - Set NSEC3 hash algorithm nsec3hit - Set NSEC3 hash algorithm interations keymastr - Key master for VRRP configurations alert - Send DNSSEC Alerts in email useremail - Set SMTP server user name import - Import signing keys (ZSKs and KSK) export - Export signing keys (ZSKs and KSK) for a zone on - Globally turn DNSSEC ON off - Globally turn DNSSEC OFF cur - Display current DNSSEC configuration |
Global SLB DNSSEC Menu (/cfg/slb/gslb/dnssec)
Command Syntax and Usage |
---|
key |
| Displays the DNSSec Key menu. To view this menu, see /cfg/slb/gslb/dnssec/key DNSSEC Key Menu. Default: enable |
zonekey |
| Displays the DNS Zone name to DNSSEC KSK/ZSK association menu. To view this menu, see /cfg/slb/gslb/dnssec/zonekey GSLB DNSSEC Zone to Key Menu. |
rolltm |
| Sets the automatic rollover phase timer. |
kskrollt |
| Sets the KSK rollover phase timer. |
nsec nsec|nsec3 |
| Sets the NSEC answer type. |
nsec3sln |
| Sets the NSEC3 salt length. |
nsec3slt |
| Sets the NSEC3 salt lifetime. |
nsec3hash |
| Sets the NSEC3 hash algorithm. Options are: sha1 or sha256 |
nsec3hit |
| Sets the NSEC3 hash algorithm iterations. |
keymastr |
| Enables or disables the keymaster for VRRP configurations. When enabling the keymaster, this Alteon is set as the initiator of DNSSEC key rollover processes in VRRP scenarios. |
alert |
| Enables sending DNSSEC alerts through email. |
useremail |
| Sets the SMTP server user name of the user to which the system sends an e-mail via the SMTP configured using the /cfg/slb/gslb menu. |
import |
| Imports the signing keys (ZSKs and KSK). |
export |
| Exports the signing keys (ZSKs and KSK). |
on |
| Turns DNSSEC on globally. |
off |
| Turns DNSSEC off globally. |
alert |
| Sends DNSSEC alerts via email. |
cur |
| Displays the current DNSSec configuration. |