This F5 deployment guide shows how to configure Authoritative DNSSEC signing for a zone in front of a pool of DNS servers, to sign responses from virtual servers in a global server load balancing configuration, or to do both in Authoritative Screening mode.

There are three main ways to configure the BIG-IP GTM system for DNSSEC shown in this guide. 

  • Authoritative Screening Mode
    The Authoritative Screening architecture enables BIG-IP GTM to receive all DNS queries, managing very high-volume DNS by load balancing requests to a pool of DNS servers. Additionally, the Authoritative Screening architecture seamlessly provides all of the benefits of intelligent GSLB services.
  • DNS Load Balancing
    You can also use only the DNS load balancing components of screening mode to sign responses
    from 3rd-party DNS servers. This saves time by using F5’s DNSSEC rather than signing the DNS
    zones manually.
  • Delegation
    Delegation has been the traditional deployment method. This solution involves delegating a
    specific subzone that contains all the GSLB elements of the DNS architecture. In this scenario, a
    CNAME is used to redirect other names to one located in the delegated subzone. One drawback
    with delegation mode is that the administrator is required to create a CNAME for all related DNS

The following diagram shows the Authoritative screening mode with DNS load balancing described in this guide.