DNSSEC (BIG-IP v10.x: GTM)

This F5 deployment guide shows how to configure Authoritative DNSSEC signing for a zone in front of a pool of DNS servers, to sign responses from virtual servers in a global server load balancing configuration, or to do both in Authoritative Screening mode.

There are three main ways to configure the BIG-IP GTM system for DNSSEC shown in this guide. 

• Authoritative Screening Mode
  The Authoritative Screening architecture enables BIG-IP GTM to receive all DNS queries, managing very high-volume DNS by load balancing requests to a pool of DNS servers. Additionally, the Authoritative Screening architecture seamlessly provides all of the benefits of intelligent GSLB services.
• DNS Load Balancing
  You can also use only the DNS load balancing components of screening mode to sign responses
  from 3rd-party DNS servers. This saves time by using F5’s DNSSEC rather than signing the DNS
  zones manually.
• Delegation
  Delegation has been the traditional deployment method. This solution involves delegating a
  specific subzone that contains all the GSLB elements of the DNS architecture. In this scenario, a
  CNAME is used to redirect other names to one located in the delegated subzone. One drawback
  with delegation mode is that the administrator is required to create a CNAME for all related DNS
  records.

The following diagram shows the Authoritative screening mode with DNS load balancing described in this guide.