Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

DNSSEC Key Signing Key and Zone Signing Key Synchronization to GEO Partners

 

Information

 

Summary:

When using LoadMaster's GEO DNSSEC feature, the Zone Signing Key (ZSK) is generated on the LoadMaster but can it be synchronized between all LoadMaster GEO partners?

Environment:

Product: LoadMaster

Version: Any

Platform: Any

Application: Any

Question/Problem Description:

Can the Key Signing Key (KSK) and Zone Signing Key (ZSK) be synchronized between all LoadMaster GEO partners? The KSK and ZSK cannot currently be synchronized with the general GEO configuration over Partners. It is possible to manually generate a KSK externally to LoadMaster and then upload this same KSK to all LoadMaster GEO Partners manually.

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause: However, for the ZSK, this is generated independently on each LoadMaster once DNSSEC has been enabled. Since this ZSK is different on each LoadMaster, this can lead to signature validation errors on the DNS server. For example, the first DNS request for the A record and RRSIG can go to GEO LM#1 and then the subsequent request for the ZSK and signature can go to GEO LM#2 if the DNS server is round-robining these requests across the multiple NS delegated GEO LoadMasters.
Resolution:  
Workaround: One workaround would be to ensure the DNS server is not round-robining the multiple requests for the A record and ZSK, but instead is sending all requests to the first NS delegated GEO LoadMaster. This will ensure the signature and key always match.
Notes:

For requesting a new feature enhancement on the LoadMaster to change how it handles the synchronization of the DNSSEC keys, please submit an Idea below:

https://kemp.ideas.aha.io/ideas


Was this article helpful?
0 out of 0 found this helpful

Comments