We have a need to transfer our external view to an F5 GTM to handle our external DNS requests.  So the F5 GTM would be a secondary.

Has anyone done this before and if so could you give me some help?

On a device you configure as a secondary server for a zone (Your F5 GTM), you can associate a TSIG key for each primary server to which the secondary server requests zone transfers.

On the device you configure as a primary server for a zone, you can set a TSIG key at the grid, member, or zone level. When the secondary server requests zone transfers, it must send a specific key in its requests to the primary server. When the primary server responds to the requests, it can have a set of TSIG keys from which it can draw when responding. As long as the primary server can find the same TSIG key that the secondary sends it, it can verify the authenticity of the requests it receives and authenticate the responses it sends.

TSIG is based on DNS specifications RFC 2845, TSIG and RFC 2930, TKEY which provides authentication protocol enhancements to secure Server-Server transactions.

Start by creating a Global Listener on your F5 GTM..  its usually a TCP & a UDP listener. Make sure you edit your DNS Profile the way you want it before you assign it to your Global Listener.

 

Next Configure ZoneRunner

Now that the listener is created and configured, you can use the ZoneRunner utility to manage your DNS zones and resource records. You can do several things with ZoneRunner including:

• configuring a zone
• configuring the resource records that make up that zone
• configure a view for access control
• configure options in the named.conf file

I created a master zone and named it "dnstest.com" and then configured the SOA Record and NS Record details (TTL values, server names, etc). I also created two A records (www.dnstest.com and ftp.dnstest.com) and associated IP addresses with each.

After I created the zone, I configured the Named Configuration file to allow for zone transfer from the local host. You can view/modify the named.conf file directly from the GUI by navigating to Global Traffic >> ZoneRunner >> Named Configuration. The named configuration file will also automatically update as you make changes in the other areas of the ZoneRunner utility, so you don't always have to configure it directly. In my case, I simply viewed the file to ensure the "allow-transfer localhost" was there...and it was!

In a typical setup where you host zones external to the BIG-IP, you would have to add the following code to the zone file. In my case, I didn't have to add this code because I set up everything on the BIG-IP.

zone "dnstest.com" { type master; file "var/lib/bind/dnstest.com.hosts"; also-notify {1.1.1.1;}; //where 1.1.1.1 is the listener address allow-transfer {1.1.1.2;}; //where 1.1.1.2 is the self IP };

 

Where do I go to set up the DNS Profile?  Having issues locating

Local Traffic > Profiles > Services > DNS . The DNS profile list screen opens.

Here is what it looks like: