F5BigDnsZone

Overview

DNS Express is an engine that enables the BIG-IP Next system to act as a high-speed, authoritative DNS server. With DNS Express configured, the BIG-IP Next system can answer DNS queries for a DNS zone and respond to zone transfer requests from specified DNS nameservers (clients). Additionally, zone transfer communications can be secured with TSIG keys.

CR Parameters

The following table lists and describes the F5BigDnsZone CR parameters.

Metadata

Parameter	Description
name	Specifies the name of the nameserver.
address	Specifies the IP address of the nameserver.

spec

Parameter	Description
dnsxAllowNotifyFrom	Specifies the IP addresses from which, the system accepts NOTIFY messages for the DNS Express zone.
dnsxServer	Specifies the back-end authoritative nameserver from which, the zone information is retrieved for the DNS Express.
dnsxServer.port	Specifies the service port of the nameserver. The range is from 0 to 65535 with the default as 53.
dnsxServer.tsigKey	Specifies the TSIG key associated with the nameserver. This parameter is optional and is configured only if the back-end authoritative nameserver is configured with TSIG.
dnsxServer.tsigKey.name	Specifies the name of TSIG key, which should match the nameserver configuration. This parameter is optional and is configured only if the back-end authoritative nameserver is configured with TSIG.
dnsxServer.tsigKey.algorithm	Specifies the algorithm that was used to generate the TSIG key. The value can be hmacmd5 (default), hmacsha1, hmacsha256. This parameter is optional and is configured only if the back-end authoritative nameserver is configured with TSIG.
dnsxServer.tsigKey.secret	Specifies the TSIG key secret text generated by the compatible key generation tool. This parameter is optional and is configured only if the back-end authoritative nameserver is configured with TSIG.
clientNameServers	Specifies the DNS nameservers allowed to transfer the DNS zone.
clientNameServers.address	Specifies the IP address of the nameserver. Supports both IPv4 and IPv6 versions with 127.0.0.1 address as default.
clientNameServers.port	Specifies the service port of the nameserver. The range is from 0 to 65535 with default as 53.
clientNameServers.tsigKey	Specifies the TSIG key associated with the nameserver. You can also add the TSIG key used by the CNFs to authenticate the identity of the client during zone transfer communications.
clientNameServers.tsigKey.name	Specifies the name of TSIG key, which should match Client nameserver configuration.
clientNameServers.tsigKey.algorithm	Specifies the algorithm that was used to generate the TSIG key. The value can be hmacmd5 (default), hmacsha1, hmacsha256.
clientNameServers.tsigKey.secret	Specifies the TSIG key secret text generated by the compatible key generation tool.
dnsxEnabled	Specifies whether the DNS Express is enabled for the zone. The value can be True or False (default).
dnsxNotifyAction	Specifies the action that the system takes, when a NOTIFY message is received for the DNS Express zone. The value be bypass, consume (default), repeat
dnsxResponsePolicyZone	Specifies whether the DNS Express zone is treated as a DNS response policy zone. The value can be True or False (default).
serverTsigKey	Specifies the TSIG key the system uses to sign requests forwarded to a pool of DNS servers.
serverTsigKey.name	Specifies the name of the TSIG key, which should match the authoritative server configuration.
serverTsigKey.algorithm	Specifies the algorithm that was used to generate this TSIG key. The value can be hmacmd5 (default), hmacsha1, hmacsha256.
serverTsigKey.secret	Specifies the TSIG key secret text generated by the compatible key generation tool.
dnsxVerifyNotifyTsig	Specifies whether the system verifies the identity of the authoritative nameserver that sends updated information to the DNS Express zone. The value can be True (default) or False.

Example CR

F5BigDnsZone

Following is an example configuration for the F5BigDnsZone CR:

apiVersion: k8s.f5net.com/v1
kind: F5BigDnsZone
metadata:
  name: example.net
spec:
  dnsxAllowNotifyFrom: ["10.244.99.94"]
  dnsxServer:
    address: "10.244.99.94"
    port: 53
  dnsxEnabled: true
  dnsxNotifyAction: consume
  dnsxVerifyNotifyTsig: false

F5BigDnsApp

Following is an example configuration for the F5BigDnsApp CR:

apiVersion: "k8s.f5net.com/v1"
kind: F5BigDnsApp
metadata:
  name: dnsx-listener
spec:
  ipProtocol: "udp"
  destination:
   address: "11.11.11.56"
   ipv6Address: "2002::11:11:11:56"
  snat:
   type: "automap"
  dns:
   dnsExpressEnabled : true
   dnsZoneTransferEnabled : true

Note: DNS Express AXFR/IXFR transfer requests to the authoritative nameserver are done through Kubernetes network interface eth0.

Requirements

Ensure you have:

• Installed the CNF Controller Pods.
• A Linux based workstation.

Installation

1. Create a DNS Express listener. To create the listener, copy the following code into a YAML file.

   apiVersion: "k8s.f5net.com/v1"
   kind: F5BigDnsApp
   metadata:
   name: dnsx-app-listener
   spec:
   destination:
   address: "11.11.11.166"
   port: 53
   ipProtocol: "udp"
   snat:
   type: "automap"
   dns:
   dnsExpressEnabled: true
   dnsZoneTransferEnabled: true
   

2. Install the DNS Express listener F5BigDnsApp CR. Run the following command:

   oc apply -f dnsx_listener.yaml
   

   Sample output

   f5bigdnsapp.k8s.f5net.com/dnsx-app-listener created
   

   In BIG-IP Controller logs indicate the dnsx-app-listener listener Adding or Updating

   Sample logs

   ts"="2025-02-07 07:31:53.120"|"l"="info"|"m"="Adding or Updating"|"lt"="A"|"CrKind"=""|"AppNS"="default"|"CrName"="dnsx-app-listener"|"v"="1.0"
   
   oc get f5bigdnsapp.k8s.f5net.com/dnsx-app-listener
   NAME            READY   MESSAGE                                AGE
   dnsx-app-listener   True    CR config sent to all grpc endpoints   67s
   

3. Configure the also-notify field of the backend’s authoritative nameserver with the IP of the DNS Express listener.

4. Create a DNS Express zone. Copy the following CR into a YAML file.

   apiVersion: "k8s.f5net.com/v1"
   kind: F5BigDnsZone
   metadata:
   name: example.net
   namespace: default
   spec:
   dnsxAllowNotifyFrom: ["10.244.99.96"]  --> Back-end Authoritative Nameserver from where Notify to receive
   dnsxServer:
       address: "10.244.99.96"   --> Back-end Authoritative Nameserver
       port: 53
   clientNameServers:
       - address: "11.11.11.100"  --> Client IP for which BIG-IP is acting as Nameserver
   dnsxEnabled: true
   dnsxNotifyAction: consume
   dnsxResponsePolicyZone: false
   dnsxVerifyNotifyTsig: true
   

5. Apply the DNS Express zone (F5BigDnsZone) CR. Run the following command:

   oc apply -f zone.yaml
   

   Sample output

   f5bigdnszone.k8s.f5net.com/example.net created
   

   Sample logs

   The BIG-IP Controller logs indicate the Adding or Updating of the example.net zone.

   "ts"="2025-02-07 07:35:42.359"|"l"="info"|"m"="Adding or Updating"|"lt"="A"|"CrKind"=""|"AppNS"="default"|"CrName"="example.net"|"v"="1.0"
   
   oc get f5bigdnszone.k8s.f5net.com/example.net
   NAME          READY   MESSAGE                                AGE
   example.net   True    CR config sent to all grpc endpoints   9s
   

Feedback

To provide feedback and help improve this document, please email us at cnfdocs@f5.com.