ltm dns dnssec key
ltm dns dnssec key(1) BIG-IP TMSH Manual ltm dns dnssec key(1)
NAME
key - Configures DNSSEC keys on the BIG-IP(r) system.
MODULE
ltm dns dnssec
SYNTAX
Configure the key component within the ltm dns dnssec module using the
syntax in the following sections.
CREATE/MODIFY
create key [name]
modify key [name]
options:
algorithm [ rsasha1 | rsasha256 | rsasha512 ]
app-service [[string] | none]
bitwidth [ 512 | 1024 | 2048 | 4096 ]
certificate-file [string]
description [string]
[enabled | disabled]
expiration-period [integer]
key-file [string]
key-type [ksk | zsk]
rollover-period [integer]
signature-pub-period [integer]
signature-valid-period [integer]
ttl [integer]
use-fips [external | internal | none]
edit key [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list key
list key [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
generation
non-default-properties
one-line
DELETE
delete key [name]
DESCRIPTION
You can use the key component to configure DNSSEC zone signing and key
signing keys, and to view information about the keys.
EXAMPLES
create key ksk1
Creates the key signing key, ksk1, using the system default values.
create key zsk1
Creates the zone signing key, zsk1, using the system default values.
list key my_key
Displays the properties of the DNS security key my_key.
OPTIONS
algorithm
Specifies the algorithm to use to generate the key. The default
value is RSASHA1.
app-service
Specifies the name of the application service to which the key
belongs. The default value is none. Note: If the strict-updates
option is enabled on the application service that owns the object,
you cannot modify or delete the key. Only the application service
can modify or delete the key.
bitwidth
Specifies the length of the key you want to generate. The default
value is 1024. If a key is manually managed, MCPD will derive this
value from the file and override any user defined value.
certificate-file
Specifies the file containing the public key. Fields certificate-
file and key-file are required for manual DNSSEC key import.
description
User defined description.
[enabled | disabled]
Specifies whether the key is enabled or disabled.
expiration-period
Specifies the life of the key in d:h:m:s, h:m:s, m:s, or seconds.
At the end of the period, the system deletes the expired
generation of the key. This value must be greater than the value
of the rollover-period option. The difference between the two
periods must be more than the value of the ttl option.
The default value is 0 (zero), which indicates unset, and thus the
key does not expire.
generation
Displays the generation of the key, including the following:
creator
Hostname of BIG-IP system that created this generation.
expiration
The date and time that this generation of the key expires.
handle
The handle of a generation of a key that is used for
interacting with the key subsystem (for example, HSM for
FIPS).
key-tag
The hash identifier of the DNSKEY.
pub-text
The text of the randomly-generated public key.
rollover
The date and time that this generation of the key rolls over
to a new key.
glob Displays the items that match the glob expression. See help glob
for a description of glob expression syntax.
key-file
Specifies the file containing the private key. Fields certificate-
file and key-file are required for manual DNSSEC key import.
key-type
Specifies whether the key is of type ksk or zsk. The default value
is zsk.
name Specifies a unique name for the component. This option is required
for the commands create, delete, and modify.
regex
Displays the items that match the regular expression. The regular
expression must be preceded by an at sign (@[regular expression])
to indicate that the identifier is a regular expression. See help
regex for a description of regular expression syntax.
rollover-period
Specifies the amount of time, in d:h:m:s, h:m:s, m:s, or seconds,
before the system generates another generation of the key. At the
end of the period, the system creates a new generation of the key.
Two generations of the key exist during the time between the end
of the rollover period and the end of the expiration period.
This value must be greater than or equal to one third of the value
of the expiration-period option, and less than the value of the
expiration period option. The difference between the two periods
must be must be more than the value of the ttl option.
The default value is 0 (zero), which indicates unset, and thus the
key does not roll over.
signature-pub-period
Specifies the amount of time, in d:h:m:s, h:m:s, m:s, or seconds,
before the system publishes another generation of the signature.
At the end of the period, the system creates a new signature.
This value must be less than the value of the signature-valid-
period option. The default value is 403200 seconds.
signature-valid-period
Specifies the amount of time, in d:h:m:s, h:m:s, m:s, or seconds,
that the signature is valid. At the end of the period, the Global
Traffic Manager no longer uses the expired signature. The default
value is 604800 seconds.
ttl Specifies the amount of time, in d:h:m:s, h:m:s, m:s, or seconds,
that a DNS server can cache the key. The default value is 86400.
The value of the ttl option must be less than the difference
between the values of the rollover-period and expiration-period
options.
0 seconds indicates that the key is not cached.
use-fips
Specifies the type of FIPS-compliant hardware security module to
use when storing, and signing with, the private key. The default
value is none. The choice of external attempts to use a network-
attached FIPS device if configured; otherwise internal uses the
FIPS device within the BIG-IP.
If this option is set to internal or external and a FIPS device is
not present, the system automatically resets the value to none.
SEE ALSO
create, delete, edit, glob, list, modify, regex, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc
F5 Networks and BIG-IP (c) Copyright 2009-2013, 2016. All rights
reserved.
BIG-IP 2016-03-14 ltm dns dnssec key(1)