K02439348: Creating or transferring DNS zone files using the ZoneRunner utility

Non-Diagnostic

Original Publication Date: Feb 1, 2018

Update Date: Nov 13, 2020

Topic

You should consider using these procedures under the following conditions:

You want to create or transfer DNS zone files using the ZoneRunner utility. You want to modify DNS zone file resource records using the ZoneRunner utility.

Description

The BIG-IP DNS system ZoneRunner utility allows you to manage the local BIND server configuration. The ZoneRunner utility allows you to create new zones or transfer existing zones from remote DNS servers. You can also add or modify resource records contained within a zone. After the DNS zone exists in local BIND, you can configure the BIG-IP DNS system to answer DNS name resolution requests or zone transfers to other name servers.

This article discusses how to manually create or transfer master- and slave-type zone files using the ZoneRunner utility. Prior to using the ZoneRunner utility, review the information in following sections:

Note: F5 is working to eliminate exclusionary language in our products and documentation. For more information, refer to K34150231: Exclusionary language in F5 products and documentation.

Views Zone creation DNS Express

Views

Views allow you to create separate instances of zone files in the local BIND server configuration. Having separate views allows you to respond to DNS requests with information that is specific to that group's hosts, based on their IP addresses. For example, you can create two separate views for the example.com domain: internal-hosts and external-hosts. Requests arriving from IP addresses defined in the internal-hosts view receive DNS responses with private IP addresses and requests arriving from IP addresses defined in the external-hosts view receive DNS responses with public IP addresses. By default, the BIG-IP DNS system has a single view named external that responds to DNS requests from any IP subnet.

Zone creation

DNS zone file creation can be accomplished using one of three methods: Manual requires the zone file and all resource records be created manually. Load From File loads a zone file using a BIND database file. The zone file can also be in the zone transfer format using utilities such as dig. The zone file must be accessible from your local workstation. Transfer From Server transfers a zone file from a remote DNS server. The remote DNS server must be configured to allow zone access from the BIG-IP DNS system self IP address.

DNS Express

The local BIND instance is not optimized to answer large numbers of DNS resolution requests. Consider using the BIG-IP DNS Express engine, a high-speed and authoritative DNS server. You can configure DNS Express to transfer zone files from local BIND when a Nameserver object uses the default IP address 127.0.0.1. For more information, refer to the Configuring DNS Express section of the BIG-IP DNS Services: Implementations manual for your BIG-IP version.

Note: For information about how to locate F5 product manuals, refer to K98133564: Tips for searching AskF5 and finding product documentation.

Prerequisites

You must meet the following prerequisite to use these procedures:

You have administrative access to the BIG-IP DNS configuration utility.

Procedures

Creating a new view Creating a master zone manually Creating a master zone using an existing zone file Transferring a master zone Transferring a slave zone Adding or modifying resource records

Creating a new view

The following procedures describe how to create a new view that responds to hosts residing on private IP address subnets. When creating new views, you can define multiple IP address subnets or reference pre- defined filters that include multiple IP address subnets and which you can use for multiple views. To create and apply predefined filters, perform both procedures. To only add specific IP address subnets directly to the view, perform only the second, Creating the view.

Creating a pre-defined filter

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the BIG-IP DNS Configuration utility. 2. Go to DNS > Zones > ZoneRunner > named Configuration. 3. In the Options box, scroll to the bottom and add a new pre-defined filter, using the following command syntax: 3.

acl "" { ; ; };

For example, to add a new pre-defined filter named internal-hosts, which allows access from IP address subnets 192.168.10.0/24 and 10.10.0.0/16, enter the following command:

acl "internal-hosts" { 192.168.10.0/24; 10.10.0.0/16; };

4. Select Update.

Creating the view

Impact of procedure: Performing the following procedures should not have a negative impact on your system.

1. Log in to the BIG-IP DNS Configuration utility. 2. Go to DNS > Zones > ZoneRunner > View List. 3. Select Create. 4. For View Name, enter a unique identifier for this view. For example, internal-hosts. 5. For View Order, select the appropriate order option.

Note: IP addresses defined within multiple views may overlap. The View Order setting allows you to prioritize the view order as First, Last, or After.

6. For Options, use the following command syntax:

match-clients { ; ; };

For example, to define IP address subnets 192.168.10.0/24 and 10.10.0.0/16, enter the following command:

match-clients { 192.168.10.0/24; 10.10.0.0/16; };

For example, to use a pre-defined filter named internal-hosts, enter the following command: 6.

match-clients { "internal-hosts"; };

For example, to use a pre-defined filter named internal-hosts and define IP address subnet 192.168.10.0/24, enter the following command:

match-clients { "internal-hosts"; 192.168.10.0/24; };

7. Select Update.

Creating a master zone manually

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

After you determine the appropriate view for the remote DNS clients, use the following procedure to manually create a new master zone for the example.com domain. If you are unfamiliar with DNS start of authority (SOA) or name server (NS) records settings, review the following tables.

SOA Record Description Example Settings The time-to-live (TTL) value in seconds for which the SOA record may be cached. This value is applied to all resource records within the zone that do not have a TTL TTL. If you make frequent changes to resource records, consider a lower setting 3600 such as 3600 seconds, or 1 hour. If you do not make infrequent changes, consider a higher setting such as 86400 seconds, or 1 day. ns1. Master The host name of the server that responds authoritatively for the domain. example. Server com dnsadmin. Email The email address for the administrator of the zone. The syntax replaces the at example. Contact sign (@) with the period (.) because the at sign has other uses in the zone file. com The serial number format is YYYYMMDDNN, where Y is the year, M is the month, Serial D is the day and N is a sequential number. A new number is generated when a 2018010150 Number new zone is created and increments with each zone data update. The time at which a slave server contacts the master server to refresh the zone data. If you make frequent changes to resource records, consider a lower setting Refresh such as 3600 seconds or one hour. If you do not make frequent changes or rely on 10800 Interval NOTIFY messages, consider a higher setting such as 86400 seconds, or one day. The default value is 10800 seconds, or three hours. The time between retries when a slave server fails to contact the master server. Retry Slave servers attempt to refresh zone information after the configured refresh Interval interval or a NOTIFY message is received. A low value would be 180 seconds, or 3600 three minutes, and a higher value would be 1800 seconds, or 30 minutes. The default value is 3600 seconds, or 1 hour. When zone data is no longer authoritative. Used by slave servers only, slave Expire servers stop responding authoritatively to queries for zone information once the 604800 expiration has expired. The default value is 604800 seconds, or 7 days. Negative This value refers to the negative caching time, or the time a NAME ERROR = 86400 TTL NXDOMAIN result may be cached. The default setting is 86400 seconds, or 1 day. NS Record Description Example Settings The time-to-live (TTL) in seconds that the NS resource record may be cached. If you make frequent changes to resource records, consider a lower setting such as 3600 TTL 3600 seconds, or 1 hour. If you make infrequent changes, consider a higher setting such as 86400 seconds, or 1 day. ns1. Name The host name of the server that responds authoritatively for the domain. This should example. Server be the same host name used for the master server, defined in the SOA record. com

1. Log in to the BIG-IP DNS Configuration utility. 2. Go to DNS > Zones > ZoneRunner > Zone List. 3. Select Create. 4. Under General Properties, for View Name, select the appropriate view. 5. For Zone Name, enter the DNS domain name for the zone, ending it with a period. For example, example.com.. 6. For Zone Type, select Master. 7. Under Configuration, for Records Creation Method, select Manual. 8. Under Records Creation, for SOA Record, define the following settings: TTL Master Server Email Contact Serial Number Refresh Interval Retry Interval Expire Negative TTL 9. For NS Record, define the following settings: TTL Nameserver 10. For Create A Record, select the Enable check box. 11. For A Record, enter the IP address for the Nameserver you defined in step 9. 12. Select Finished.

Creating a master zone using an existing zone file You can create a master zone using an existing zone file. This method reduces the need to manually create each resource record and speeds up the creation process if the zone has many resource records. The ZoneRunner utility accepts a zone file that is in the BIND database file format. It also accepts a zone file in the DNS zone transfer format, which you can obtain using the zone transfer option (axfr) of DNS utilities such as dig. Before performing the procedure, you must ensure the desired zone file resides on the workstation you use to access the BIG-IP DNS Configuration utility.

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the BIG-IP DNS Configuration utility. 2. Go to DNS > Zones > ZoneRunner > Zone List. 3. Select Create. 4. Under General Properties, for View Name, select the appropriate view. 5. For Zone Name, enter the DNS domain name for the zone, ending it with a period. For example, example.com.. 6. For Zone Type, select Master. 7. Under Configuration, for Records Creation Method, select Load From File. 8. Under Records Creation, for Upload Records File, select Choose File; in the file selection box, go to the location of the zone file, select the desired zone file, and select Open. 9. Select Finished.

Transferring a master zone file

To perform this procedure, you need the DNS domain name of the zone to transfer to and the IP address of the remote DNS server with the zone file copy.

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the BIG-IP DNS Configuration utility. 2. Go to DNS > Zones > ZoneRunner > Zone List. 3. Select Create. 4. Under General Properties, for View Name, select the appropriate view. 5. For Zone Name, enter the DNS domain name for the zone, ending it with a period. For example, example.com.. 6. For Zone Type, select Master. 7. Under Configuration, for Records Creation Method, select Transfer From Server. 8. Under Records Creation, for Source Server, enter the IP address of the remote DNS server. 9. Select Finished.

Transferring a slave zone file

To perform the following procedures, you need the DNS domain name of the zone and the IP address of the remote DNS server with the zone copy to transfer. If a transaction signature (TSIG) key is required, perform both of the following procedures. If no TSIG key is required, perform only the second procedure, Transferring the zone file. Note: It is easier to transfer the zone directly into DNS Express. For more information, refer to the DNS Express section in the introduction to this article.

Adding the TSIG key

Perform the following procedure to add and reference the remote DNS server's TSIG key on the BIG-IP DNS system. This procedure requires access to the Advanced Shell (bash).

Impact of procedure: The steps in this procedure are very sensitive, and the ZoneRunner daemon (zrd) enters a restart loop if it encounters a typographical error. If this occurs, you can stop the restart messages from displaying in the shell by entering bigstart stop zrd into bash. After you correct the typographical error, enter bigstart start zrd into bash to restart the zrd process.

1. Log in to bash. 2. Using a text editor, create and open a new file named tsig.key in the /var/named/config directory.

For example, to use vi editor to create a new file named tsig.key in the /var/named/config directory, enter the following command:

vi /var/named/config/tsig.key

3. To add the remote DNS server TSIG key, use the following configuration syntax:

key "" { algorithm ; secret ""; };

For example, to add a remote server's TSIG key named example using the hmac-md5 algorithm and secret string 5qBubDia3OPogiFpD5qr7nCwNz+qJBaZVbD7Cu3PEKs=, enter the following configuration:

key "example" { algorithm hmac-md5; secret "5qBubDia3OPogiFpD5qr7nCwNz+qJBaZVbD7Cu3PEKs="; };

4. Save the tsig.key file. 5. To create the necessary symbolic link to the tsig.key file in the /config directory, enter the following command:

ln -s /var/named/config/tsig.key /config/tsig.key

6. To set the correct owner for the tsig.key file, enter the following command:

chown named:named /var/named/config/tsig.key

7. Using a text editor, open the /var/named/config/named.conf file for editing. 7.

For example, to use vi editor to edit the /var/named/config/named.conf file, enter the following command:

vi /var/named/config/named.conf

8. Add the following include statement to the top of the named.conf file, below the first two comments in the file:

Note: Comments in the file are indicated with a number sign (#).

include "/config/tsig.key";

9. Save the file.

Transferring the zone file

Perform the following procedure to transfer the slave zone file from the remote DNS server.

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the BIG-IP DNS Configuration utility. 2. Go to DNS > Zones > ZoneRunner > Zone List. 3. Select Create. 4. For View Name, select the appropriate view. 5. For Zone Name, enter the DNS domain name for the zone, ending it with a period. For example, example.com.. 6. For Zone Type, select Slave. 7. Under Configuration, for Options, enter the command syntax as appropriate for your configuration: To transfer the slave zone file from a remote DNS server without a TSIG key, use the following command syntax:

masters { port ; };

For example, to transfer a slave zone file from a remote DNS server using IP address 192.168.10.200 and service port 53, enter the following command:

masters { 192.168.10.200 port 53; };

To transfer the slave zone file from a remote DNS server with a TSIG key, use the following command syntax:

masters { port ; };

For example, to transfer a slave zone file from a remote DNS server using IP address 192.168.10.200, service port 53, and a TSIG key named example, enter the following command:

masters { 192.168.10.200 port 53 key example; };

8. Select Finished. Adding or modifying resource records

After you create a new zone, you can use the following procedure to manually add records to the zone file or modify resource records currently in the zone file.

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the BIG-IP DNS Configuration utility. 2. Go to DNS > Zones > ZoneRunner > Zone List. 3. Under Zone Name, select the name of the zone you want to modify. 4. On the zone Properties page, select the Resource Records tab. 5. Under Find Records, select Create. 6. In the Name box, add the appropriate DNS suffix to the domain name. For example, ldap.example. com. 7. In the TTL box, enter the appropriate TTL value in seconds. For example, 3600. 8. In the Type list, select the appropriate resource record type. For example, to create an address record, select A.

The Record Configuration list expands with appropriate options for that record type.

9. In the IP Address box, enter the IP address of the address record. For example, 192.168.10.125. 10. Select Finished.

A list of resource records appears under Find Records. If you need to modify a record, select the record name to open its properties.

Supplemental Information

K14421: Achieving split DNS behavior through BIG-IP DNS wide IPs K6963: Managing the BIG-IP BIND configuration file K277: Delegating a subdomain to a BIG-IP DNS or BIG-IP Link Controller system from another DNS server K34150459: Delegating a subdomain to a remote DNS name server from the BIG-IP DNS system K7032: Freezing zone files to allow manual update to ZoneRunner-managed zone files

Applies to:

Product: BIG-IP, BIG-IP DNS 15.X.X, 14.X.X, 13.X.X, 12.X.X