Forum Discussion
JimW_156953
Jun 03, 2014Nimbostratus
It can be confusing and until you don't approach it systematically it will be always back and forth. Divide your config between two saperate systems 1) your f5 device and 2) your DNS registrar. By mentioning dotgov.gov it is clear that you are a US Govt. civilian agency. Your DS signer record is held by dotgov.gov registrar and they have a website http://www.dotgov.gov/ which is serviced by GSA but managed by VeriSign.
1 - f5 GTM with DNSSEC module. Configure the ksk, zsk, create a zone, assign ksk and zsk to the zone. i.e. myagency.gov 2) You will notice that now myagency.gov is green under f5 gui. At this point if you are testing from internal network - you should be able to get DNSSEC responses - untrusted though. 3) Follow the sol article "SOL12981: Providing the DNSSEC DS record to the parent domain" follow the example absolutely as depicted - Now you are ready to provide this information to dotgov.gov registrar.
Start with 1) login to http://www.dotgov.gov/ portal (You must be authorized previously by your agencies OCIO) 2) Browse to Manage domains, identify your domain, visit the section which suggest DS records. 3) there are only 2-3 fields or only Line 1 to be filled in, if you are only providing one key. 4) Cut and paste the information from the sol article - [ensure that there are no double quotes at the end of the cryptic string] 5) Now call dotgov.gov and enquire when is their replication schedule (which is every 4 hour) 6) now wait.. .untll that time, before you see any positive results. Don't use Chrome for testing - it caches and provides weird results - use IE instead for testing.
Good Luck