Forum Discussion

Richard_H_12595's avatar
Richard_H_12595
Icon for Nimbostratus rankNimbostratus
Jun 01, 2014

GTM DNSSEC module and dotgov domains

Hi,

 

I am trying to get a .gov domain hosted by us on a GTM with the DNSSEC module configured and am running into issues getting it to pass the validation tests from the feds. They are wanting to see a DS record for the domain exist in the domain itself before they add it to the .gov parent domain. The problem I am finding is that the DNSSEC module removes this record even if it exists in the zone on the Bind server. So far I have tested this with Zonerunner, DNS express and using a DNS pool attached to the listener and in every case saw the same issue. After enabling DNSSEC I copy the DS record into the zone file itself and than if I query for the ds record direct from the bind server it's returned but if I query for it from the GTM it's not when I have DNSSEC enabled for that zone. If I disable DNSSEC on the zone I see the DS records returned by both so it seems like it's something inside the DNSSEC module itself.

 

Any suggestions or advise on how to handle this would be appreciated. We need the GTM DNSSEC module so that we can use the Wide IP features of the GTM's but we also are required to support DNSSEC on these domains.

 

Thanks,

 

  • You don't publish the DS record on your GTM. You provide the DS digest to dotgov for them to publish, along with the key tag, algorithm, digest type and expiration date.

     

    Other than creating the DNSSEC zone and applying the appropriate KSK and ZSKs to the zone, you don't need to publish anything special in DNS.

     

    Some good DNSSEC checking tools:

     

    dnsviz.net dnscheck.iis.se

     

  • Thanks, but that doesn't really help me.

     

    My problem is the dotgov register won't add the DS record to the .gov domain until a corresponding DS record exists in my domain. I know this isn't part of the RFC for DNSSEC but it's their rules and you either play by them or don't play at all. You can see this with a dig for DS records on any DNSSEC enabled .gov domain like dod.gov (see below) where the domain is responding for DS records pointing to itself. Whats I find odd is somewhere along the line F5 wrote specific code in to filter the DS record out of reply's when DNSSEC was enabled on a zone. I have found if I disable DNSSEC on a zone the F5 starts to return the DS record I have added to the backend Bind server but as soon as I enable it, it filters it out.

     

    dig -t DS dod.gov +multiline

     

    ; <<>> DiG 9.8.3-P1 <<>> -t DS dod.gov +multiline ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51489 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

     

    ;; QUESTION SECTION: ;dod.gov.IN DS

     

    ;; ANSWER SECTION: dod.gov.3600 INDS 48556 8 1 ( D8938B65509FDA7C2459DD98B4F421533786990E ) dod.gov.3600 INDS 48556 8 2 ( 53EE8C50B46706B12735F88467DDAA3F5AE82913CE78 7681A5C5C10F4B63B9A4 )

     

    ;; Query time: 21 msec ;; SERVER: X.X.X.X53(172.29.0.10) ;; WHEN: Mon Jun 2 19:21:38 2014 ;; MSG SIZE rcvd: 109

     

  • It can be confusing and until you don't approach it systematically it will be always back and forth. Divide your config between two saperate systems 1) your f5 device and 2) your DNS registrar. By mentioning dotgov.gov it is clear that you are a US Govt. civilian agency. Your DS signer record is held by dotgov.gov registrar and they have a website http://www.dotgov.gov/ which is serviced by GSA but managed by VeriSign. 1 - f5 GTM with DNSSEC module. Configure the ksk, zsk, create a zone, assign ksk and zsk to the zone. i.e. myagency.gov 2) You will notice that now myagency.gov is green under f5 gui. At this point if you are testing from internal network - you should be able to get DNSSEC responses - untrusted though. 3) Follow the sol article "SOL12981: Providing the DNSSEC DS record to the parent domain" follow the example absolutely as depicted - Now you are ready to provide this information to dotgov.gov registrar. Start with 1) login to http://www.dotgov.gov/ portal (You must be authorized previously by your agencies OCIO) 2) Browse to Manage domains, identify your domain, visit the section which suggest DS records. 3) there are only 2-3 fields or only Line 1 to be filled in, if you are only providing one key. 4) Cut and paste the information from the sol article - [ensure that there are no double quotes at the end of the cryptic string] 5) Now call dotgov.gov and enquire when is their replication schedule (which is every 4 hour) 6) now wait.. .untll that time, before you see any positive results. Don't use Chrome for testing - it caches and provides weird results - use IE instead for testing. Good Luck
  • I work for a federal government agency as well, and we're subject to the same processes. We have DNSSEC working for all of our domains and we don't publish DS records. The DS record is hosted by the parent, which in this case is dotgov.gov. If you are getting a response for a DS record for a .gov domain, it's likely coming from dotgov. Dotgov is probably saying they aren't finding a corresponding DNSKEY (vice a DS record) on your GTMs. Do you have your zones created with a KSK and ZSK assigned to them? If so, then there should be a DNSKEY in place.

     

    https://grepular.com/Understanding_DNSSEC

     

  • I can only tell you what the support person at the .gov register told us when we inquired into why we are getting Could not validate DNSKey/DS errors when we try to enter either a DS key data and DNSKEY data into their web site taken from the F5 GTM. We have three DNSKEY records that are returned when I query the zone all with corresponding RRSIG records in our domain so it looks like everything is in order to me.

     

    I have asked the dotgov register for more clarification on this requirement as I agree it's odd that I'm the first person who has experienced this.

     

  • Richard,

     

    Are you by chance the technical POC for your agency's account? The technical POC should have the ability to input all necessary info to the dotgov portal. You should be able to do most everything yourself and not have to rely on one of their technicians to assist you. We've really had hit or miss success when dealing with their email support folks in the past. Whenever we have a KSK rollover or add a new domain, our technical POC just logs in and adds/updates the appropriate information.