DNSSEC 1

(IP address) are used in the signature. The TTLs of individual resource records are not part of the data used in signing to allow for aging. Since the TTL of the RRSIG record is part of the signed data, a caching resolver is expected to cache a response up to the minimum (smallest RR TTL in RRset, RRSIG record TTL).

With this approach a DNSSEC response can be performed without having to re-sign DNSSEC responses and without the need for key management.

With DNSSEC, due to the introduction of new record types, the size of a response can be much larger than plain DNS. EDNS0 with a buffer size of 4k is mandated by the RFC. Therefore we support UDP fragmented and TCP segmented DNS response.

The ServerIron ADX GSLB solution in the DNS proxy mode transparently acts upon DNS responses. If a ADNS real server or a zone is flagged for DNSSEC through configuration, it enables additional functionality such as accounting and real server selection. Zones can be tagged as DNSSEC ONLY or DNSSEC CAPABLE and real servers can be tagged as DNSSEC CAPABLE.

When some real servers are DNSSEC capable and some are not, all DNS requests are sent with the DO (DNSSEC OK) bit set to DNSSEC capable servers and other requests to the other servers.

When a zone is tagged as DNSSEC capable or DNSSEC only, requests to these zones are sent to DNSSEC capable real servers and requests to other zones are sent to other real servers. Through explicit configuration, plain DNS requests can be load balanced across all real servers.

If a zone is tagged as DNSSEC only, DNS requests are dropped.

Cache proxy mode

When cache proxy policy is configured with DNS proxy, the ServerIron ADX sends the response from its cache using the data learned from out-of-band backend DNS queries. However, for requests with the DO bit set if a real server is tagged as DNSSEC capable or if the zone is tagged for DNSSEC we forward the requests to the real server. If neither the zone or the server are tagged for DNSSEC, then we retain current behavior and respond directly.

Configuring DNSSEC for GSLB

The following sections describe how to configure a ServerIron ADX for DNSSEC.

Configuring a zone for DNSSEC

You can configure a zone to be DNSSEC capable or as DNSSEC only operation. as shown in the following:

ServerIron(config)# gslb dns zone-name brocade.com

ServerIron(config-gslb-dns-brocade.com)# dnssec-capable

Syntax: [no] dnssec-capable dnssec-only

Configuring a backend ADNS server as DNNSEC capable

To configure a backend ADNS server as DNNSEC capable, use the following command.

ServerIron(config)# server real-name dns_ns 209.157.23.46

ServerIron(config-rs-dns_ns)# port dns proxy

ServerIron(config-rs-dns_ns)# port dns dnssec-capable

Syntax: dnssec-capable

ServerIron ADX Global Server Load Balancing Guide

115

53-1002437-01

 

Page 126 Page 128
Page 127
Image 127
Brocade Communications Systems 12.4.00 manual Configuring Dnssec for Gslb, Cache proxy mode, Configuring a zone for Dnssec
Page 126 Page 128
Top Page Image Contents