ltm dns dnssec zone
ltm dns dnssec zone(1) BIG-IP TMSH Manual ltm dns dnssec zone(1)
NAME
zone - Configures DNSSEC zones on the BIG-IP(r) system.
MODULE
ltm dns dnssec
SYNTAX
Configure the zone component within the ltm dns dnssec module using the syntax in the following sections.
CREATE/MODIFY
create zone [name]
modify zone [name]
options:
app-service [[string] | none]
description [string]
[enabled | disabled]
ds-algorithm [ sha1 | sha256 ] DEPRECATED - see ds-algorithms
ds-algorithms [ add | delete | replace-all-with ] {
[ sha1 | sha256 ] ...
}
external-delegations
[add | delete | modify | replace-all-with] {
[DNS zone name] {
options:
ds-records
[add | delete | modify | replace-all-with] {
[ DS record ] ...
}
secure [ enabled | disabled ]
}
}
indicate-authenticated [ enabled | disabled ]
keys
[add | delete | modify | replace-all-with] {
[key name ...]
}
keys none
nsec3-algorithm [ SHA1 ]
nsec3-iterations [unsigned integer]
publish-cds-cdnskey [ enabled | disabled ]
edit zone [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
reset-stats zone
reset-stats zone [ [ [name] | [glob] | [regex] ] ... ]
DISPLAY
list zone
list zone [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
seps
show zone [ [ [name] | [glob] | [regex] ] ... ]
options:
(default | exa | gig | kil | meg | peta | raw | tera | yotta | zetta)
global
field-fmt
DELETE
delete zone [name]
DESCRIPTION
You can use the zone component to configure and view information about a DNSSEC zone.
EXAMPLES
list zone mySecureZone
Displays the properties of the DNSSEC zone named mySecureZone.
OPTIONS
app-service
Specifies the name of the application service to which the zone belongs. The default value is none. Note:
If the strict-updates option is enabled on the application service that owns the object, you cannot
modify or delete the zone. Only the application service can modify or delete the zone.
description
User defined description.
ds-algorithm
This option is deprecated in v14.0.0 and is replaced by ds-algorithms. Specifies the hash algorithm to
use when creating the Delegation Signer (DS) resource record. The default value is sha1.
ds-algorithms
Specifies the hash algorithms to use when creating Delegation Signer (DS) resource records. The default
value is sha1. A DS record is generated in a given SEP for each algorithm that is configured.
[enabled | disabled]
Specifies whether the DNSSEC zone is enabled or disabled.
Note: You must associate both a key signing and a zone signing key with the zone before complete signing
of client requests can occur.
external-delegations
Specifies the names of delegated subzones of this zone, where the BIG-IP is not responsible for the
DNSSEC signing.
ds-records
Specifies the DNSSEC delegation signer (DS) resource records (RRs) that correspond to the Key-
Signing-Keys (KSKs) of the external delegated zone. They indicate that the external delegated zone
is DNSSEC enabled. These records are used to establish the DNSSEC chain of trust from zone to
subzone.
secure
Specifies whether or not the external delegation is secured through the use of DS records. Default
value is enabled.
glob Displays the items that match the glob expression. See help glob for a description of glob expression
syntax.
indicate-authenticated
The Authenticated Data (AD) flag is TRUE for DNSSEC zone authoritative answers when this setting is
enabled. The default value is disabled.
keys Specifies the keys that you want to configure for the zone.
name Specifies a unique name for the component. This option is required for the commands create, delete, and
modify.
nsec3-algorithm
Specifies the hash algorithm to use when creating the Next Secure (NSEC3) resource record. The default
value is SHA1. Other algorithms are not currently supported, so selecting SHA256 will revert to SHA1 with
a warning message.
nsec3-iterations
Specifies the number of times to hash the Next Secure (NSEC3) names. The default value is 1.
publish-cds-cdnskey
Specifies whether or not we will respond to CDS and CDNSKEY type queries for the DNSSEC Zone. The
default value is disabled.
regex
Displays the items that match the regular expression. The regular expression must be preceded by an at
sign (@[regular expression]) to indicate that the identifier is a regular expression. See help regex for
a description of regular expression syntax.
secure-delegations
Specifies the DNSSEC zones on the BIG-IP that are delegated subzones of the zone as determined by the
name of the zones. This list is read-only and automatically generated based on the DNSSEC Zones
configured on the BIG-IP.
seps Displays the Secure Entry Point(s) (DS and DNSKEY resource records used as client trust anchors) of the
zone. This list is read-only and automatically generated based on the DNSSEC Key Key-Signing-Keys (KSKs)
configured on a DNSSEC Zone.
Each list entry includes the following attributes:
dnskey
String representation of the DNSKEY resource record. Note this will be a Key-Signing-Key (KSK).
ds This option is deprecated in v14.0.0 and is replaced by ds-records. String representation of the DS
resource record.
ds-records
String representations of DS resource records. There will be one DS record for each ds-algorithm
configured on the DNSSEC Zone.
generation-id
Generation ID of DNSSEC Key used to create the SEP.
key-name
Name of DNSSEC Key which was used to create the SEP.
xfr-primary-soa-serial
The learned zone SOA serial number from the primary server.
xfr-soa-serial
The advertised zone SOA serial number to all clients.
SEE ALSO
create, delete, edit, glob, list, modify, regex, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2009-2013, 2015-2016. All rights reserved.
BIG-IP 2018-09-12 ltm dns dnssec zone(1)