Configuring dnssec for gslb, Cache proxy mode, Configuring a zone for dnssec – Brocade Communications Systems ServerIron ADX 12.4.00 User Manual

Page 127

Advertising
background image

ServerIron ADX Global Server Load Balancing Guide

115

53-1002437-01

DNSSEC

1

(IP address) are used in the signature. The TTLs of individual resource records are not part of the
data used in signing to allow for aging. Since the TTL of the RRSIG record is part of the signed data,
a caching resolver is expected to cache a response up to the minimum (smallest RR TTL in RRset,
RRSIG record TTL).

With this approach a DNSSEC response can be performed without having to re-sign DNSSEC
responses and without the need for key management.

With DNSSEC, due to the introduction of new record types, the size of a response can be much
larger than plain DNS. EDNS0 with a buffer size of 4k is mandated by the RFC. Therefore we
support UDP fragmented and TCP segmented DNS response.

The ServerIron ADX GSLB solution in the DNS proxy mode transparently acts upon DNS responses.
If a ADNS real server or a zone is flagged for DNSSEC through configuration, it enables additional
functionality such as accounting and real server selection. Zones can be tagged as DNSSEC ONLY
or DNSSEC CAPABLE and real servers can be tagged as DNSSEC CAPABLE.

When some real servers are DNSSEC capable and some are not, all DNS requests are sent with the
DO (DNSSEC OK) bit set to DNSSEC capable servers and other requests to the other servers.

When a zone is tagged as DNSSEC capable or DNSSEC only, requests to these zones are sent to
DNSSEC capable real servers and requests to other zones are sent to other real servers. Through
explicit configuration, plain DNS requests can be load balanced across all real servers.

If a zone is tagged as DNSSEC only, DNS requests are dropped.

Cache proxy mode

When cache proxy policy is configured with DNS proxy, the ServerIron ADX sends the response from
its cache using the data learned from out-of-band backend DNS queries. However, for requests with
the DO bit set if a real server is tagged as DNSSEC capable or if the zone is tagged for DNSSEC we
forward the requests to the real server. If neither the zone or the server are tagged for DNSSEC,
then we retain current behavior and respond directly.

Configuring DNSSEC for GSLB

The following sections describe how to configure a ServerIron ADX for DNSSEC.

Configuring a zone for DNSSEC

You can configure a zone to be DNSSEC capable or as DNSSEC only operation. as shown in the
following:

ServerIron(config)# gslb dns zone-name brocade.com

ServerIron(config-gslb-dns-brocade.com)# dnssec-capable

Syntax: [no] dnssec-capable | dnssec-only

Configuring a backend ADNS server as DNNSEC capable

To configure a backend ADNS server as DNNSEC capable, use the following command.

ServerIron(config)# server real-name dns_ns 209.157.23.46

ServerIron(config-rs-dns_ns)# port dns proxy

ServerIron(config-rs-dns_ns)# port dns dnssec-capable

Syntax: dnssec-capable

Advertising
Popular Brands
Popular manuals