ltm dns dnssec key
ltm dns dnssec key(1) BIG-IP TMSH Manual ltm dns dnssec key(1)
NAME
key - Configures DNSSEC keys on the BIG-IP(r) system.
MODULE
ltm dns dnssec
SYNTAX
Configure the key component within the ltm dns dnssec module using the syntax in the following sections.
CREATE/MODIFY
create key [name]
modify key [name]
options:
algorithm [ rsasha1 | rsasha256 | rsasha512 ]
app-service [[string] | none]
bitwidth [ 512 | 1024 | 2048 | 4096 ]
certificate-file [string]
description [string]
[enabled | disabled]
expiration-period [integer]
generation {
[ [generation-id] ] {
options:
expiration [ date:time ]
rollover [ date:time ]
key-file [string]
key-type [ksk | zsk]
rollover-period [integer]
signature-pub-period [integer]
signature-valid-period [integer]
ttl [integer]
use-fips [external | internal | none]
edit key [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list key
list key [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
DELETE
delete key [name]
DESCRIPTION
You can use the key component to configure DNSSEC zone signing and key signing keys, and to view information
about the keys.
EXAMPLES
create key ksk1
Creates the key signing key, ksk1, using the system default values.
create key zsk1
Creates the zone signing key, zsk1, using the system default values.
list key my_key
Displays the properties of the DNS security key my_key.
OPTIONS
algorithm
Specifies the algorithm to use to generate the key. The default value is RSASHA1.
app-service
Specifies the name of the application service to which the key belongs. The default value is none. Note:
If the strict-updates option is enabled on the application service that owns the object, you cannot
modify or delete the key. Only the application service can modify or delete the key.
bitwidth
Specifies the length of the key you want to generate. The default value is 1024. If a key is manually
managed, MCPD will derive this value from the file and override any user defined value.
certificate-file
Specifies the file containing the public key. Fields certificate-file and key-file are required for
manual DNSSEC key import.
description
User defined description.
[enabled | disabled]
Specifies whether the key is enabled or disabled.
expiration-period
Specifies the life of the key in d:h:m:s, h:m:s, m:s, or seconds. At the end of the period, the system
deletes the expired generation of the key. This value must be greater than the value of the rollover-
period option. The difference between the two periods must be more than the value of the ttl option.
The default value is 0 (zero), which indicates unset, and thus the key does not expire.
generation
Displays the generation of the key, including the following:
creator
Hostname of BIG-IP system that created this generation.
expiration
The date and time that this generation of the key expires. This can be modified and is in the
following format: yyyy-mm-dd:hh:mm:ss.
handle
The handle of a generation of a key that is used for internal interactions with the key subsystem
(for example, HSM for FIPS).
key-tag
The hash identifier of the DNSKEY. This can be used to identify which DNSKEY was used to generate a
given RRSIG.
pub-text
The text of the public portion of the DNSSEC Key Generation.
rollover
The date and time that the generation of the key rolls over to a new key. This can be modified and
is in the following format: yyyy-mm-dd:hh:mm:ss.
glob Displays the items that match the glob expression. See help glob for a description of glob expression
syntax.
key-file
Specifies the file containing the private key. Fields certificate-file and key-file are required for
manual DNSSEC key import.
key-type
Specifies whether the key is of type ksk or zsk. The default value is zsk.
name Specifies a unique name for the component. This option is required for the commands create, delete, and
modify.
regex
Displays the items that match the regular expression. The regular expression must be preceded by an at
sign (@[regular expression]) to indicate that the identifier is a regular expression. See help regex for
a description of regular expression syntax.
rollover-period
Specifies the amount of time, in d:h:m:s, h:m:s, m:s, or seconds, before the system generates another
generation of the key. At the end of the period, the system creates a new generation of the key. Two
generations of the key exist during the time between the end of the rollover period and the end of the
expiration period.
This value must be greater than or equal to one third of the value of the expiration-period option, and
less than the value of the expiration period option. The difference between the two periods must be must
be more than the value of the ttl option.
The default value is 0 (zero), which indicates unset, and thus the key does not roll over.
signature-pub-period
Specifies the amount of time, in d:h:m:s, h:m:s, m:s, or seconds, before the system publishes another
generation of the signature. At the end of the period, the system creates a new signature.
This value must be less than the value of the signature-valid-period option. The default value is 403200
seconds.
signature-valid-period
Specifies the amount of time, in d:h:m:s, h:m:s, m:s, or seconds, that the signature is valid. The
validity period will begin when the signature is generated but the inception time of the signature will
be back-dated by one hour, to allow for clock skew on the validator. At the end of the period, the
Global Traffic Manager no longer uses the expired signature. The default value is 604800 seconds.
ttl Specifies the amount of time, in d:h:m:s, h:m:s, m:s, or seconds, that a DNS server can cache the key.
The default value is 86400.
The value of the ttl option must be less than the difference between the values of the rollover-period
and expiration-period options.
0 seconds indicates that the key is not cached.
use-fips
Specifies the type of FIPS-compliant hardware security module to use when storing, and signing with, the
private key. The default value is none. The choice of external attempts to use a network-attached FIPS
device if configured; otherwise internal uses the FIPS device within the BIG-IP.
If this option is set to internal or external and a FIPS device is not present, the system automatically
resets the value to none.
SEE ALSO
create, delete, edit, glob, list, modify, regex, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc
F5 Networks and BIG-IP (c) Copyright 2009-2013, 2016. All rights reserved.
BIG-IP 2019-05-13 ltm dns dnssec key(1)