/cfg/slb/gslb/dnssec
GSLB DNSSEC Menu
The Domain Name System Security Extensions (DNSSEC) adds authentication security measurements to Alteon to defend the DNS protocol against known DNS threats. DNS digitally signs records for DNS lookup using public-key cryptography. The correct DNSKEY record is authenticated using a chain of trust, starting with a set of verified public keys for the DNS root zone, which is the trusted third party. When DNSSEC is used, each answer to a DNS lookup contains an RRSIG DNS record in addition to the requested record type. The RRSIG record is a digital signature of the DNS resource record set answer. The digital signature can be verified by locating the correct public key found in a DNSKEY record. The DNS record is used in the authentication of DNSKEYs in the lookup procedure using the chain of trust.
To enable the use of replacement keys, a key rollover procedure is used. New keys are rolled out in new DNSKEY records in addition to the existing old keys.
For authentication purposes, Alteon uses two different keys in DNSKEY records, with different DNSKEY records for each. Key Signing Keys (KSKs) are used to sign the Zone Signing Key (ZSKs) and are exported (publicly) to the parent DNS. ZSKs are used to sign the DNS resource records (RRs). Because the ZSKs are controlled and used by one specific DNS zone, they can be switched more easily and more frequently. RFC 4614 recommends changing ZSKs on a monthly basis, enabling them to be shorter in bit length (for example, 1024). The KSK validity period is usually one year, and needs a higher bit length (for example, 2048), making it harder to forge. When a new KSK is created, the delegation signer (DS) record must be transferred to the parent zone, and must be signed and published there.
When working with GSLB and DNSSEC enabled, the configuration of remote sites must be identical for all Alteons participating in the GSLB configuration (/cfg/slb/gslb/site x).
For GSLB sites to synchronize Alteon peers, the passphrase for Alteon synchronization must be enabled (/cfg/slb/sync/passphrs). Failing to set the passphrase generates an error message.
Note: Ensure that the time and date are configured correctly in the GSLB configuration for all Alteons. Radware recommends that you manually configure the time date using NTP.
 
[DNSSEC for Global SLB Menu]
key - DNSSEC signing keys (ZSK/KSK) menu
zonekey - DNS Zone name to DNSSEC KSK/ZSK association menu
rolltm - Set automatic rollover Phase timer
kskrollt - Set KSK Rollover Phase Timer
nsec - Set NSEC answer type
nsec3sln - Set NSEC3 salt length
nsec3slt - Set NSEC3 salt lifetime
nsec3hash - Set NSEC3 hash algorithm
nsec3hit - Set NSEC3 hash algorithm interations
keymastr - Key master for VRRP configurations
alert - Send DNSSEC Alerts in email
useremail - Set SMTP server user name
import - Import signing keys (ZSKs and KSK)
export - Export signing keys (ZSKs and KSK) for a zone
on - Globally turn DNSSEC ON
off - Globally turn DNSSEC OFF
cur - Display current DNSSEC configuration
 
Global SLB DNSSEC Menu (/cfg/slb/gslb/dnssec) 
Command Syntax and Usage
key
 
Displays the DNSSec Key menu. To view this menu, see /cfg/slb/gslb/dnssec/key DNSSEC Key Menu.
Default: enable
zonekey
 
Displays the DNS Zone name to DNSSEC KSK/ZSK association menu. To view this menu, see /cfg/slb/gslb/dnssec/zonekey GSLB DNSSEC Zone to Key Menu.
rolltm
 
Sets the automatic rollover phase timer.
kskrollt
 
Sets the KSK rollover phase timer.
nsec nsec|nsec3
 
Sets the NSEC answer type.
nsec3sln
 
Sets the NSEC3 salt length.
nsec3slt
 
Sets the NSEC3 salt lifetime.
nsec3hash
 
Sets the NSEC3 hash algorithm.
Options are: sha1 or sha256
nsec3hit
 
Sets the NSEC3 hash algorithm iterations.
keymastr
 
Enables or disables the keymaster for VRRP configurations. When enabling the keymaster, this Alteon is set as the initiator of DNSSEC key rollover processes in VRRP scenarios.
alert
 
Enables sending DNSSEC alerts through email.
useremail
 
Sets the SMTP server user name of the user to which the system sends an e-mail via the SMTP configured using the /cfg/slb/gslb menu.
import
 
Imports the signing keys (ZSKs and KSK).
export
 
Exports the signing keys (ZSKs and KSK).
on
 
Turns DNSSEC on globally.
off
 
Turns DNSSEC off globally.
alert
 
Sends DNSSEC alerts via email.
cur
 
Displays the current DNSSec configuration.