This F5 deployment guide shows how to configure Authoritative DNSSEC signing for a zone in front of a pool of DNS servers, to sign responses from virtual servers in a global server load balancing configuration, or to do both in Authoritative Screening mode.
There are three main ways to configure the BIG-IP GTM system for DNSSEC shown in this guide.
- Authoritative Screening Mode
The Authoritative Screening architecture enables BIG-IP GTM to receive all DNS queries, managing very high-volume DNS by load balancing requests to a pool of DNS servers. Additionally, the Authoritative Screening architecture seamlessly provides all of the benefits of intelligent GSLB services.
- DNS Load Balancing
You can also use only the DNS load balancing components of screening mode to sign responses
from 3rd-party DNS servers. This saves time by using F5’s DNSSEC rather than signing the DNS
Delegation has been the traditional deployment method. This solution involves delegating a
specific subzone that contains all the GSLB elements of the DNS architecture. In this scenario, a
CNAME is used to redirect other names to one located in the delegated subzone. One drawback
with delegation mode is that the administrator is required to create a CNAME for all related DNS
The following diagram shows the Authoritative screening mode with DNS load balancing described in this guide.