nerdexam
F5

101 · Question #224

GTM can sign a DNS response using DNSSEC only if the DNS request ?GTM can sign a DNS response using DNSSEC only if the DNS request

The correct answer is B. is a part of a DNSSEC zone.. GTM can only apply DNSSEC signing to a DNS response when the queried name belongs to a zone that has been configured and enabled for DNSSEC on the GTM.

Section 4: Security Basics

Question

GTM can sign a DNS response using DNSSEC only if the DNS request ?GTM can sign a DNS response using DNSSEC only if the DNS request

Options

  • Ahas the S?bit set. has the ?S?bit set.
  • Bis a part of a DNSSEC zone.
  • Cis for a WideIP name on the GTM.
  • Dis answered by BIND running on the GTM.

How the community answered

(47 responses)
  • A
    2% (1)
  • B
    96% (45)
  • D
    2% (1)

Why each option

GTM can only apply DNSSEC signing to a DNS response when the queried name belongs to a zone that has been configured and enabled for DNSSEC on the GTM.

Ahas the S?bit set. has the ?S?bit set.

There is no 'S-bit' in standard DNS request headers; the relevant optional signal is the DO (DNSSEC OK) bit in the EDNS0 OPT record, and even that is not the condition that governs whether GTM signs a response.

Bis a part of a DNSSEC zone.Correct

DNSSEC signing is a zone-level function; the GTM can cryptographically sign responses only for queries that fall within a zone that has DNSSEC enabled and has signing keys configured. Zone membership is the controlling condition because the signing keys and chain of trust are established per zone, not per individual record or request flag.

Cis for a WideIP name on the GTM.

A name being configured as a WideIP on the GTM alone does not enable DNSSEC signing; the zone containing that name must separately have DNSSEC enabled with valid signing keys.

Dis answered by BIND running on the GTM.

BIND running on the GTM is not a prerequisite for DNSSEC signing; GTM's native DNS and DNS Express features can handle DNSSEC independently of which process answers the query.

Concept tested: F5 GTM DNSSEC zone-based response signing condition

Source: https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-dns-implementations/signing-zones-with-dnssec.html

Topics

#DNSSEC#GTM#DNS security#zone signing

Community Discussion

No community discussion yet for this question.

Full 101 Practice