ltm dns dnssec key
ltm dns dnssec key(1) BIG-IP TMSH Manual ltm dns dnssec key(1)
NAME
key - Configures DNSSEC keys on the BIG-IP(r) system.
MODULE
ltm dns dnssec
SYNTAX
Configure the key component within the ltm dns dnssec module using the syntax in the following sections.
CREATE/MODIFY
create key [name]
modify key [name]
options:
algorithm [ rsasha1 | rsasha256 | rsasha512 ]
app-service [[string] | none]
bitwidth [ 512 | 1024 | 2048 | 4096 ]
certificate-file [string]
description [string]
[enabled | disabled]
expiration-period [integer]
generation {
[ [generation-id] ] {
options:
expiration [ date:time ]
rollover [ date:time ]
key-file [string]
key-type [ksk | zsk]
rollover-period [integer]
signature-pub-period [integer]
signature-valid-period [integer]
ttl [integer]
use-fips [external | internal | none]
edit key [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list key
list key [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
DELETE
delete key [name]
DESCRIPTION
You can use the key component to configure DNSSEC zone signing and key signing keys, and to view information about the
keys.
EXAMPLES
create key ksk1
Creates the key signing key, ksk1, using the system default values.
create key zsk1
Creates the zone signing key, zsk1, using the system default values.
list key my_key
Displays the properties of the DNS security key my_key.
OPTIONS
algorithm
Specifies the algorithm to use to generate the key. The default value is RSASHA1.
app-service
Specifies the name of the application service to which the key belongs. The default value is none. Note: If the
strict-updates option is enabled on the application service that owns the object, you cannot modify or delete the key.
Only the application service can modify or delete the key.
bitwidth
Specifies the length of the key you want to generate. The default value is 1024. If a key is manually managed, MCPD
will derive this value from the file and override any user defined value.
certificate-file
Specifies the file containing the public key. Fields certificate-file and key-file are required for manual DNSSEC key
import.
description
User defined description.
[enabled | disabled]
Specifies whether the key is enabled or disabled.
expiration-period
Specifies the life of the key in d:h:m:s, h:m:s, m:s, or seconds. At the end of the period, the system deletes the
expired generation of the key. This value must be greater than the value of the rollover-period option. The difference
between the two periods must be more than the value of the ttl option.
The default value is 0 (zero), which indicates unset, and thus the key does not expire.
generation
Displays the generation of the key, including the following:
creator
Hostname of BIG-IP system that created this generation.
expiration
The date and time that this generation of the key expires. This can be modified and is in the following format:
yyyy-mm-dd:hh:mm:ss.
handle
The handle of a generation of a key that is used for internal interactions with the key subsystem (for example,
HSM for FIPS).
key-tag
The hash identifier of the DNSKEY. This can be used to identify which DNSKEY was used to generate a given RRSIG.
pub-text
The text of the public portion of the DNSSEC Key Generation.
rollover
The date and time that the generation of the key rolls over to a new key. This can be modified and is in the
following format: yyyy-mm-dd:hh:mm:ss.
glob Displays the items that match the glob expression. See help glob for a description of glob expression syntax.
key-file
Specifies the file containing the private key. Fields certificate-file and key-file are required for manual DNSSEC key
import.
key-type
Specifies whether the key is of type ksk or zsk. The default value is zsk.
name Specifies a unique name for the component. This option is required for the commands create, delete, and modify.
regex
Displays the items that match the regular expression. The regular expression must be preceded by an at sign (@[regular
expression]) to indicate that the identifier is a regular expression. See help regex for a description of regular
expression syntax.
rollover-period
Specifies the amount of time, in d:h:m:s, h:m:s, m:s, or seconds, before the system generates another generation of
the key. At the end of the period, the system creates a new generation of the key. Two generations of the key exist
during the time between the end of the rollover period and the end of the expiration period.
This value must be greater than or equal to one third of the value of the expiration-period option, and less than the
value of the expiration period option. The difference between the two periods must be must be more than the value of
the ttl option.
The default value is 0 (zero), which indicates unset, and thus the key does not roll over.
signature-pub-period
Specifies the amount of time, in d:h:m:s, h:m:s, m:s, or seconds, before the system publishes another generation of
the signature. At the end of the period, the system creates a new signature.
This value must be less than the value of the signature-valid-period option. The default value is 403200 seconds.
signature-valid-period
Specifies the amount of time, in d:h:m:s, h:m:s, m:s, or seconds, that the signature is valid. The validity period
will begin when the signature is generated but the inception time of the signature will be back-dated by one hour, to
allow for clock skew on the validator. At the end of the period, the Global Traffic Manager no longer uses the
expired signature. The default value is 604800 seconds.
ttl Specifies the amount of time, in d:h:m:s, h:m:s, m:s, or seconds, that a DNS server can cache the key. The default
value is 86400.
The value of the ttl option must be less than the difference between the values of the rollover-period and expiration-
period options.
0 seconds indicates that the key is not cached.
use-fips
Specifies the type of FIPS-compliant hardware security module to use when storing, and signing with, the private key.
The default value is none. The choice of external attempts to use a network-attached FIPS device if configured;
otherwise internal uses the FIPS device within the BIG-IP.
If this option is set to internal or external and a FIPS device is not present, the system automatically resets the
value to none.
SEE ALSO
create, delete, edit, glob, list, modify, regex, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc
F5 Networks and BIG-IP (c) Copyright 2009-2013, 2016. All rights reserved.
BIG-IP 2019-05-13 ltm dns dnssec key(1)