Domain name system security extensions

DNS Security Extensions (DNSSEC) is an Internet Engineering Task Force (IETF) standard. It aims to provide data integrity and data origin authentication in communications between name servers and clients while still transmitting UDP responses in clear text. DNSSEC specifies a mechanism that uses asymmetric key cryptography and a set of new resource records that are specific to its implementation.

The DNSSEC specification is described in:

  • RFC 4033, “DNS Security Introduction and Requirements”
  • RFC 4034, “Resource Records for the DNS Security Extensions”
  • RFC 4035, “Protocol Modifications for the DNS Security Extensions”

The operational aspects of implementing DNSSEC within DNS are discussed in RFC 4641, “DNSSEC Operational Practices.”

You can configure DNSSEC on the NetScaler. You can generate and import keys for signing DNS zones. You can configure DNSSEC for zones for which the NetScaler is authoritative. You can configure the ADC as a DNS proxy server for signed zones hosted on a farm of back-end name servers. If the ADC is authoritative for a subset of the records belonging to a zone for which the ADC is configured as a DNS proxy server, you can include the subset of records in the DNSSEC implementation.

Domain name system security extensions

In this article