This slideshow gives an overview of how F5's BIG-IP Application Delivery Controllers protect customers' DNS infrastructure against various attacks by implementing a unique dynamic security signing policy.

1. DNS Security (DNSSEC)With BIG-IP Global Traffic Manager

3. Need a method for trusted responses

4. Need to meet US Government mandate for DNSSEC complianceHacker

5. What is DNSSEC? DNS protocol extensions ensure the integrity of data returned by domain name lookups. Incorporates a “chain of trust” into the DNS hierarchy using public key cryptography (PKI). Each link in the chain consists of a public-private key pair. Provides origin authenticity, data integrity, and secure denial of existence. Origin authenticity: Resolvers can verify that data has originated from authoritative sources. Data integrity: Can also verify that responses are not modified in-flight. Secure denial of existence: When there is no data for a query, authoritative servers can provide a response that proves no data exists.

6. How Does DNSSEC Work? Each DNSSEC zone creates one or more pairs of public/private key(s) Public portion put in DNSSEC record type DNSKEY Zones sign all sets with private key(s) and resolvers use DNSKEY(s) to verify sets Each set has a signature attached to it: RRSIG So, if a resolver has a zone’s DNSKEY(s) it can verify that sets are intact by verifying their RRSIGs

8. Reduce management costs – Simple to implement and maintain

9. Meet mandates with DNSSEC compliant solutionHacker

10. Drop-in DNSSEC Compliance Example.com site.example.com? BIG-IP GTM Existing DNS Servers 172.16.124.1 +trusted SSL key BIG-IP Global Traffic Manager with DNSSEC Simple DNSSEC compliance Drop GTM in front of existing DNS servers GTM signs requests without changes to DNS configuration

11. Find Out More on DNSSEC Video: DNSSEC in Five Easy Steps Blog: It’s DNSSEC not DNSSUX Tech Tip: Configuring GTM’s DNS Security Extensions