Manage DNS Zone

Published April 5, 2023 | Last modified November 14, 2025

Objective

This guide provides instructions on how to set up primary and secondary Domain Name System (DNS) zones and associated DNS service for your applications using F5® Distributed Cloud Services. A DNS zone is a distinct division or subdivision of domain namespace that is managed by an entity such as an organization. A DNS zone allows you to exercise granular control on the components such as name servers which hold the DNS records for the domain namespace represented by the zone.

Using this service, you can set up zones for your primary and secondary DNS servers and configure encrypted connection between them for record synchronization.

Prerequisites

The following prerequisites apply:

  • A Distributed Cloud Services Account. If you do not have an account, see Getting Started with Console.

  • A DNS domain for your web application. Obtain a domain from the Internet domain registrar.

  • Name servers for managing your DNS records.

  • To ensure that zone transfers are successful, add the following IP addresses to your firewall or ACL allow list:

    • 52.14.213.208
    • 3.140.118.214

Configuration

Creating and managing zones involve creating a primary DNS zone and a secondary zone, configuring settings such as records, encryption mechanism, etc.

Create Primary Zone

Log into Console and perform the following:

Step 1: Navigate to DNS management and start adding a zone.
  • Click DNS Management workspace on the Console home page.
Figure: Navigate to DNS Management

Figure: Navigate to DNS Management

  • Select DNS Management option in the primary navigation menu located on the left side of the page.

  • Click Add Zone.

Figure: Add Zone

Figure: Add Zone

  • Enter domain or subdomain name in the Domain Name field in the metadata section.

  • Optionally, set labels and add a description for your zone.

Step 2: Start configuring primary zone.

Select Primary DNS Configuration for the Zone Type field in the DNS Zone Configuration section. Click Edit Configuration under the Primary DNS Configuration field. Do the following in the zone configuration form:

  • In the SOA Record Parameters section, the Use Default Parameters is populated by default. To customize this, select SOA Record Parameters option, click View Configuration, and set the SOA parameters such as refresh interval, retry interval, TTL, etc.

Note: The internal DNS refresh time used by Distributed Cloud DNS for Origin Endpoint resolution is set to 15 minutes. If the DNS refresh values for the origin server are configured to less than 900 seconds, they will be overridden, resulting in a DNS refresh interval of 15 minutes or more.

Figure: SOA Custom Configuration

Figure: SOA Custom Configuration

Step 3: Configure resource record sets for the default group.

  • Go to Resource Record Sets section and click Add Item. The resource record sets configuration form opens.

  • Enter a value for the Time to live field.

  • Select a record type for the Record Set field, enter a name for your record name in the Record Name field, and set the fields as per your record type selection. Refer to the following table for the record type and field mapping:

Record TypeFieldsNotes
AList of IPv4 AddressesEnter IPv4 addresses.
AAAAList of IPv6 AddressesEnter IPv6 addresses.
ALIASDomainEnter alias domain name.
CAATags and ValueEnter a tag and its value.
CNAMEDomainEnter domain name.
MXDomain and PriorityEnter domain and priority in the MX Record Value section.
NSList of Name serversEnter the FQDN for the name servers.
PTRList of Name serversEnter the FQDN for the name servers.
SRVPriority, Weight, Port, TargetClick Add Item in the SRV Value section and set the parameters.
TXTList of TextAdd the TXT record.
DNS Load BalancerDNS Load Balancer RecordsAdd the DNS Load Balancer record.
NAPTRNaming Authority PointerEnter regex based domain names used in URIs.
DSDelegation signerEnter the signer to identify DNSSEC signing key of a delegated zone.
CDSChild DSEnter Child copy of DS record, for transfer to parent.
EUI48MAC address (EUI-48)Add uniquely identified MAC address as per the EUI-48 specification.
EUI64MAC address (EUI-64)Add uniquely identified MAC address as per the EUI-48 specification.
AFSAFS recordEnter the AFS record.
DNSKEYDNS KeyEnter the type, protocol, algorithm, and public key.
CDNSKEYChild DNS KeyEnter the type, protocol, algorithm, and public key.
LOCLocation informationEnter geographical details such as latitude, longitude, hemispheres, etc.
SSHFPSSH Key FingerprintEnter the fingerprint algorithm, type, and hexadecimal hash result of the ssh key.
TLSATLS Certificate AssociationEnter the usage, selector, matching type, and association data.
CERTPublic Key CertificateEnter the type, key tag, algorithm, and certificate.

Note: Use the Add item button available in each record type configuration to add more than one record for that record. See DNS Load Balancer for instructions on how to configure DNS load balancer for your zone.

Figure: Resource Record Set

Figure: Resource Record Set

  • Click Add Item to add the resource record set to the list of resource record sets. Use the Add Item button to add more than one resource record step.
Step 4: Configure specific resource record sets group.

This step configures specific groups for resource record sets. A resource record sets group allows grouping of DNS records to make it easier to manage them. For example, you can group DNS records that belong to the same application.

  • Enable Show Advanced Fields in the Resource Record Sets section.

  • Click Add Item in the appeared Additional Resource Record Sets section. This opens new resource record sets form.

  • Enter a Name in the metadata section.

  • Click Add Item in the Resource Record Sets section. This opens the resource record sets configuration form.

  • Configure the records in the same way as mentioned in previous step.

  • Click Add Item to add the resource record set to the group. Use the Add Item button to add more than one resource record set.

  • Click Add Item in the Resource Record Sets form to add the group to the Additional Resource Record Sets section. Use the Add Item button to add more than one group.

Step 5: Optionally, enable DNSSEC and load balancer management.
  • In the DNSSEC Mode section, select Enable for the DNSSEC Mode field if you want to use DNS security extensions (DNSSEC) to authenticate DNS response data.

Note: DNSSEC Mode is disabled by default.

  • Check the Allow HTTP Load Balancer Managed Records. This is only optional for a legacy delegated domain.

Note: Allow HTTP Load Balancer Managed Records is unchecked by default, which might have made sense for a delegated domain. However, Distributed Cloud Services has deprecated the Delegated Domain capability, which means that new domains will need to be setup as a Primary DNS zone corresponding to your HTTP Load Balancer (which is what you created in these steps), and you must check the Allow HTTP Load Balancer Managed Records checkbox for the HTTP Load Balancer to work properly.

Step 6: Complete creating the primary zone.
  • Click Apply in the primary zone configuration form.
Figure: Primary Zone Configuration

Figure: Primary Zone Configuration

  • Click Add DNS Zone in the main zone configuration form to complete creating the primary zone.

Note: In case you enabled the DNSSEC, the system generates a DS record and displays it in the DNSSEC DS Record column. Click on the displayed value, click Copy DS Record on the displayed window, add the DS record to your parent zone. After primary zone is created, you can use the dig ds <domain name> command to verify that the DS record digest is displayed in the output. This indicates that DNSSEC is functional.

Create Secondary Zone

Prior to creating secondary zone, ensure that you allow queries from F5 Distributed Cloud IP ranges to your DNS servers.

Log into Console and perform the following:

Step 1: Navigate to zone management and start adding a zone.
  • Click DNS Management workspace on the Console home page.
Figure: Navigate to DNS Management

Figure: Navigate to DNS Management

  • Select DNS Management option in the primary navigation menu located on the left side of the page.

  • Click Add Zone.

  • Enter domain or subdomain name in the Domain Name field in the metadata section. Ensure that you enter the same domain name used in primary zone configuration.

  • Optionally, set labels and add a description.

Step 2: Start configuring secondary zone.

Select Secondary DNS Configuration for the Zone Type field in the DNS Zone Configuration section. Click Configure under the Secondary DNS Configuration field. Do the following in the zone configuration form:

  • Enter IP addresses for the list of primary zone servers in the List of zone primary servers field. Use the Add item button to add more than one primary server.

  • Enter the Transaction Signature (TSIG) key name in the TSIG key name as used in TSIG protocol extension field.

  • Click on the TSIG Key algorithm field and select an algorithm from the drop-down. Ensure that the key value for the key specified is compatible with the algorithm being selected.

Note: Configuring TSIG key and algorithm is optional. However, it is recommended that you use at least the HMAC-SHA256 algorithm in case you configure TSIG.

  • Click Configure in the TSIG key value in base 64 format section to encrypt your secret, and do one of the following:

    • Paste your secret in the Secret to Blindfold field, and click Apply. The secret type Blindfolded Secret and action Blindfold New Secret are set by default and your secret is encrypted using Blindfold. You can optionally change the action to Use Existing Blindfolded Secret to add an existing encrypted secret, or use a custom policy instead of a built-in policy using the Policy Type field.
    • In case you want to use a clear secret, select Clear Secret for the Secret Type field, and paste secret in the Secret field. The option text is populated by default, and you can apply Base64 encoding by changing the selection to Base64. Click Apply

Note: Ensure you obtain the base64 encoded secret if you choose Base64 option for clear secret. You can use echo -n <TSIG KEY> | base64 to convert your secret to Base64 encoded format.

  • Click Apply.
Figure: Secondary Zone Configuration

Figure: Secondary Zone Configuration

Step 3: Complete configuring secondary zone.

Click Add DNS Zone in the main zone configuration form to create secondary zone.

Step 4: Inspect the secondary zone file.

  • Select ... > View Zone File in the Actions column for your secondary zone object. This opens the secondary zone file records in a read-only window and displays the record name, TTL, record type, and record values.

  • Click on any record name to open detailed information of that record.

Import Zone

If you have an existing zone outside of F5 Distributed Cloud, you can import the zone. Note that only the primary zone can be imported using the import option.

Note: If you have DNSSEC records, those records are not imported. Also, importing an ALIAS record (or any other type of DNSLB record) is not supported.

Do the following to import a zone:

Step 1: Navigate to DNS Zone Management.

  • Click DNS Management workspace on the Console home page.

  • Select DNS Zone Management option in the primary navigation menu located on the left side of the page.

Figure: DNS Zone Management

Figure: DNS Zone Management

Step 2: Import from a zone file

Use the Import DNS Zone drop-down menu to import from one of the following zone file types:

Figure: DNS Zone Management

Figure: DNS Zone Management

Import from an AXFR zone file
  • Select AXFR Import from the Import DNS Zone drop-down menu.
Figure: Import from AXFR

Figure: Import from AXFR

  • Enter domain name in the Domain Name field.

  • Enter the IP address of your primary DNS server in the Primary DNS Server field.

  • Optionally, set TSIG configuration.

    • Click Configure in the TSIG Configuration section.

    • Enter the Transaction Signature (TSIG) key name in the TSIG key name field.

    • Click on the TSIG Key algorithm field and select an algorithm from the drop-down. Ensure that the key value for the key specified is compatible with the algorithm being selected.

    • Click Configure in the TSIG key value in base 64 format section.

    • Encrypt your secret. Paste your secret in the Secret to Blindfold section. Click Apply.

    • Click Apply in the TSIG configuration form.

Import from a BIND zone file
  • Select BIND Import from the Import DNS Zone drop-down menu.
Figure: Import from BIND file

Figure: Import from BIND file

  • Optionally enter a description.

  • Click Import from File in the DNS Zones section.

  • Click Upload File in the Import from File panel.

  • Use the system file browser to select and open your BIND File. The BIND file must be a compressed zip file no larger than 1MB.

  • Click Import at the bottom of the Import from File panel.

Step 4: Complete importing the zone.

Click Add Import DNS Zone or Add Import from BIND in the import configuration form to import your zone.

Monitor DNS Zone Performance

Monitor DNS Load Balancers

To monitor your overall DNS system, DNS Performance, DNS zones, and DNS load balancers, see Monitor DNS.

Concepts

References

On this page: