GlobalLB::DNSSECKey

Introduced : BIG-IP_v10.1.0
The DNSSECKey interface manages the cryptographic keys used for securing DNS information, i.e., DNSSEC. The keys managed by this interface can be used to sign DNS record groups and the keys themselves. Technically, there is not a single key for each key object. This key is re-created on a regular schedule, which can be controlled via this interface. Each re-generated key is considered a new “generation” - a term used more in its genealogical sense than a creation sense. A single key generation can have its lifetime changed. Thus when using this interface, be careful to distinguish the attributes which apply to this whole process vs those that apply to a single key generation. Once a key generation is created, it is fully active for the “rollover period”. At the end of that period, the next generation&aposs key is created and both keys are in use. Once the first key reaches the end of its “expiration period”, it is no longer handed out, the generation is deleted, and only the second key is in use. This process continues ad infinitum. It is important to note that these keys do not affect the processing by their mere existence. To take effect, they must be assigned to a DNSSEC zone (See the DNSSECZone interface).

Methods

Method Description Introduced
create Creates a set of DNSSEC keys. Note that the attributes specified in this method cannot be changed afterwards. BIG-IP_v10.1.0
create_manual Creates a set of manually managed DNSSEC keys. Note that the attributes specified in this method cannot be changed afterwards. BIG-IP_v11.4.0
create_v2 Creates a set of automatically managed DNSSEC keys. Note that the attributes specified in this method cannot be changed afterwards. BIG-IP_v11.4.0
delete_all_keys Deletes all DNSSEC keys. BIG-IP_v10.1.0
delete_key Deletes a set of DNSSEC keys. BIG-IP_v10.1.0
get_algorithm Gets the algorithms used to digitally sign DNS record groups and keys for a set of DNSSEC keys. BIG-IP_v10.1.0
get_certificate_file Gets the certificate file name for a set of DNSSEC keys. BIG-IP_v11.4.0
get_description Gets the descriptions for a set of DNSSEC keys. BIG-IP_v11.0.0
get_enabled_state Gets the enabled state for a set of DNSSEC keys. BIG-IP_v10.1.0
get_expiration_period Gets the expiration period for a set of DNSSEC keys. BIG-IP_v10.1.0
get_fips_state Gets the enabled state for using the FIPS device to store and retrieve keys for a set of DNSSEC keys. BIG-IP_v10.1.0
get_generation Gets the existing DNSSEC key generation identifiers for a set of DNSSEC keys. The key generation identifier is a simple generation count, unique within a single DNSSEC key. BIG-IP_v10.1.0
get_generation_creator Gets the creator for a set of DNSSEC key generations, which is the hostname of the BIG-IP that created the generation. BIG-IP_v11.2.0
get_generation_expiration_time Gets the expiration date and time for a set of DNSSEC key generations. BIG-IP_v10.1.0
get_generation_key_tag Gets the DNSSEC RR hash for a set of DNSSEC key generations. BIG-IP_v11.2.0
get_generation_public_text Gets the public text for a set of DNSSEC key generations. BIG-IP_v10.1.0
get_generation_rollover_time Gets the rollover date and time for a set of DNSSEC key generations. BIG-IP_v10.1.0
get_hardware_security_module_type Gets the hardware security module type to specify whether keys are stored locally or on an external hardware security module for a set of DNSSEC keys. BIG-IP_v11.4.0
get_key_file Gets the key file name for a set of DNSSEC keys. BIG-IP_v11.4.0
get_list Gets the names of all DNSSEC keys. BIG-IP_v10.1.0
get_rollover_period Gets the rollover period for a set of DNSSEC keys. BIG-IP_v10.1.0
get_signature_publication_period Gets the RRSIG record signature publication period for a set of DNSSEC keys. BIG-IP_v10.1.0
get_signature_validity_period Gets the RRSIG record signature validity period for a set of DNSSEC keys. BIG-IP_v10.1.0
get_size Gets the digital signature sizes for a set of DNSSEC keys. BIG-IP_v10.1.0
get_time_to_live Gets the Time To Live (TTL) for the DNSKEY record types. BIG-IP_v10.1.0
get_type Gets the types for a set of DNSSEC keys. BIG-IP_v10.1.0
get_version Get the version information for this interface. BIG-IP_v10.1.0
set_description Sets the description for a set of DNSSEC keys. This is an arbitrary field which can be used for any purpose. BIG-IP_v11.0.0
set_enabled_state Sets the enabled state for a set of DNSSEC keys. If a DNSSEC key is disabled, the key is still published, but it is not used to sign DNS record groups or keys. BIG-IP_v10.1.0
set_expiration_period Sets the expiration period for a set of DNSSEC keys. The expiration period is the time between the activation of a DNSSEC key generation and its expiration. It must be longer than the rollover period. BIG-IP_v10.1.0
set_generation_expiration_time Sets the expiration date and time for a set of DNSSEC key generations. This method can be used for any reason, but most likely used to invalidate a possibly compromised key. BIG-IP_v10.1.0
set_generation_rollover_time Sets the rollover date and time for a set of DNSSEC key generations. This method can be used for any reason, but most likely used to invalidate a possibly compromised key by forcing the creation of a new key generation. BIG-IP_v10.1.0
set_rollover_period Sets the rollover period for a set of DNSSEC keys. The rollover period is the time between the activation of one DNSSEC key generation and the activation of the next DNSSEC key generation. BIG-IP_v10.1.0
set_signature_publication_period Sets the RRSIG record signature publication period for a set of DNSSEC keys. The signature publication period is the period in which the digital signature is published, is stored in the RRSIG record, and should be significantly shorter than the Time To Live period and must be shorter than the signature validity period. BIG-IP_v10.1.0
set_signature_validity_period Sets the RRSIG record signature validity period for a set of DNSSEC keys. This value is the period for which the digital signature is valid and is stored in the RRSIG record and should be significantly smaller than the Time To Live period. BIG-IP_v10.1.0
set_time_to_live Sets the Time To Live (TTL) for the DNSKEY record types. BIG-IP_v10.1.0

Structures

Structure Description

Enumerations

Enumeration Description
KeyAlgorithm Digital signature algorithm used to sign DNS record groups and keys.
KeyType DNSSEC key type.

Exceptions

Exception Description

Constants

Constant Type Value Description

Aliases

Alias Type Description
KeyAlgorithmSequence KeyAlgorithm [] Sequence of digital signature algorithms.
KeyTypeSequence KeyType [] Sequence of DNSSEC key types.

See Also

Warning

The links to the sample code below are remnants of the old DevCentral wiki and will result in a 404 error. For best results, please copy the link text and search the codeshare directly on DevCentral.

Sample Code


The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.