This F5 deployment guide shows how to configure Authoritative DNSSEC signing for a zone in front of a pool of DNS servers, to sign responses from virtual servers in a global server load balancing configuration, or to do both in Authoritative Screening mode.

There are three main ways to configure the BIG-IP GTM system for DNSSEC shown in this guide. 

  • Authoritative Screening Mode
    The Authoritative Screening architecture enables BIG-IP GTM to receive all DNS queries, managing very high-volume DNS by load balancing requests to a pool of DNS servers. Additionally, the Authoritative Screening architecture seamlessly provides all of the benefits of intelligent GSLB services.
  • DNS Load Balancing
    You can also use only the DNS load balancing components of screening mode to sign responses
    from 3rd-party DNS servers. This saves time by using F5’s DNSSEC rather than signing the DNS
    zones manually.
  • Delegation
    Delegation has been the traditional deployment method. This solution involves delegating a
    specific subzone that contains all the GSLB elements of the DNS architecture. In this scenario, a
    CNAME is used to redirect other names to one located in the delegated subzone. One drawback
    with delegation mode is that the administrator is required to create a CNAME for all related DNS

The following diagram shows the Authoritative screening mode with DNS load balancing described in this guide.

Connect with F5

F5 Labs

The latest in application threat intelligence.


The F5 community for discussion forums and expert articles.

F5 Newsroom

News, F5 blogs, and more.