ADC

Configure DNSSEC

Perform the following steps to configure DNSSEC:

  1. Enable DNSSEC on the NetScaler appliance.
  2. Create a zone signing key and a key signing key for the zone.
  3. Add the two keys to the zone.
  4. Sign the zone with the keys.

The NetScaler appliance does not act as a DNSSEC resolver. DNSSEC on the ADC is supported only in the following deployment scenarios:

  1. ADNS—NetScaler is the ADNS and generates the signatures itself.
  2. Proxy—NetScaler acts as a DNSSEC proxy. It is assumed that the NetScaler is placed in front of the ADNS/LDNS servers in a trusted mode. The ADC acts only as a proxy caching entity and does not validate any signatures.

Enable and disable DNSSEC

Enable DNSSEC on the NetScaler for the ADC to respond to DNSSEC-aware clients. By default, DNSSEC is enabled.

You can disable the DNSSEC feature if you do not want the NetScaler to respond to clients with DNSSEC-specific information.

Enable or disable DNSSEC by using the CLI

At the command prompt, type the following commands to enable or disable DNSSEC and verify the configuration:

-  set dns parameter -dnssec ( ENABLED | DISABLED )
-  show dns parameter  
<!--NeedCopy-->

Example:

> set dns parameter -dnssec ENABLED
 Done
> show dns parameter
        DNS parameters:
        DNS retries: 5
         .
         .
         .
         DNSEC Extension: ENABLED
        Max DNS Pipeline Requests: 255
 Done

<!--NeedCopy-->

Enable or disable DNSSEC by using the GUI

  1. Navigate to Traffic Management > DNS.
  2. In the details pane, click Change DNS settings.
  3. In the Configure DNS Parameters dialog box, select or clear the Enable DNSSEC Extension check box.

Create DNS keys for a zone

For each DNS zone that you want to sign, you must create two pairs of asymmetric keys. One pair, called the zone signing key (ZSK), is used to sign all the resource record sets in the zone. The second pair is called the key signing key (KSK) and is used to sign only the DNSKEY resource records in the zone.

When the ZSK and the KSK are created, the suffix.key is appended to the names of the public components of the keys. The suffix.private is appended to the names of their private components. The appending happens automatically.

The NetScaler also creates a Delegation Signer (DS) record and appends the suffix .ds to the name of the record. If the parent zone is a signed zone, you must publish the DS record in the parent zone to establish the chain of trust.

When you create a key, the key is stored in the /nsconfig/dns/ directory, but it is not automatically published in the zone. After you create a key by using the create dns key command, you must explicitly publish the key in the zone by using the add dns key command. The process of generating a key is separate from the process of publishing the key in a zone to enable you to use alternative means to generate keys. For example, you can import keys generated by other key-generation programs (such as bind-keygen) by using the Secure FTP (SFTP) and then publish the keys in the zone. For more information about publishing a key in a zone, see Publish a DNS key in a zone.

Perform the steps described in this topic to create a zone signing key and then repeat the steps to create a key signing key. The example that follows the command syntax first creates a zone signing key pair for the zone example.com. The example then uses the command to create a key signing key pair for the zone.

From release 13.0 build 61.x, the NetScaler appliance now supports stronger crypto algorithms, such as RSASHA256 and RSASHA512, to authenticate a DNS zone. Previously, only the RSASHA1 algorithm was supported.

Create a DNS key by using the CLI

At the command prompt, type:

create dns key -zoneName <string> -keyType <keyType> -algorithm <algorithm> -keySize <positive_integer> -fileNamePrefix <string>

Example:

> create dns key -zoneName example.com -keyType zsk -algorithm RSASHA256 -keySize 1024 -fileNamePrefix example.com.zsk.rsasha1.1024
File Name: /nsconfig/dns/example.com.zsk.rsasha1.1024.key (public); /nsconfig/dns/example.com.zsk.rsasha1.1024.private (private); /nsconfig/dns/example.com.zsk.rsasha1.1024.ds (ds)
This operation may take some time, Please wait...
 Done
> create dns key -zoneName example.com -keyType ksk -algorithm RSASHA512 -keySize 4096 -fileNamePrefix example.com.ksk.rsasha1.4096
File Name: /nsconfig/dns/example.com.ksk.rsasha1.4096.key (public); /nsconfig/dns/example.com.ksk.rsasha1.4096.private (private); /nsconfig/dns/example.com.ksk.rsasha1.4096.ds (ds)
This operation may take some time, Please wait...
 Done
<!--NeedCopy-->

Create a DNS key by using the GUI

  1. Navigate to Traffic Management > DNS.
  2. In the details area, click Create DNS Key.
  3. Enter values for the different parameters and click Create.

    Create a DNS key

    Note: To modify the file name prefix of an existing key:

    • Click the arrow next to the Browse button.
    • Click either Local or Appliance (depending on whether the existing key is stored on your local computer or in the /nsconfig/dns/ directory on the appliance)
    • Browse to the location of the key, and then double-click the key. The File Name Prefix box is populated with only the prefix of the existing key. Modify the prefix accordingly.

Publish a DNS key in a zone

A key (zone signing key or key signing key) is published in a zone by adding the key to NetScaler. A key must be published in a zone before you sign the zone.

Before you publish a key in a zone, the key must be available in the /nsconfig/dns/ directory. If you created the DNS key on another computer (for example, by using the bind-keygen program), ensure that the key is added to the /nsconfig/dns/ directory. Then publish the key in the zone. Use the ADC GUI to add the key to the /nsconfig/dns/ directory. Or, use some other program to import the key to the directory, such as the Secure FTP (SFTP).

Use the add dns key command for each public-private key pair that you want to publish in a given zone. If you created a ZSK pair and a KSK pair for a zone, use the add dns key command to first publish one of the key pairs in the zone. Repeat the command to publish the other key pair. For each key that you publish in a zone, a DNSKEY resource record is created in the zone.

The example that follows the command syntax first publishes the zone signing key pair (that was created for the example.com zone) in the zone. The example then uses the command to publish the key signing key pair in the zone.

Publish a key in a zone by using the CLI

At the command prompt, type the following command to publish a key in a zone and verify the configuration:

-  add dns key <keyName> <publickey> <privatekey> [-expires <positive_integer> [<units>]] [-notificationPeriod <positive_integer> [<units>]] [-TTL <secs>]
-  show dns zone [<zoneName> | -type <type>]
<!--NeedCopy-->

Example:

> add dns key example.com.zsk example.com.zsk.rsasha1.1024.key example.com.zsk.rsasha1.1024.private -expires 121 -TTL 5
 Done
> add dns key example.com.ksk example.com.ksk.rsasha1.4096.key example.com.ksk.rsasha1.4096.private -expires 121 -TTL 5
 Done
> show dns zone example.com
         Zone Name : example.com
         Proxy Mode : NO
         Domain Name : example.com
                 Record Types : NS SOA DNSKEY
         Domain Name : ns1.example.com
                 Record Types : A
         Domain Name : ns2.example.com
                 Record Types : A
 Done
<!--NeedCopy-->

Publish a key in a DNS zone by using the GUI

Navigate to Traffic Management > DNS > Keys.

Note: For Public Key and Private Key, to add a key that is stored on your local computer, click the arrow next to the Browse button, click Local, browse to the location of the key, and then double-click the key.

Configure a DNS key

You can configure the parameters of a key that has been published in a zone. You can modify the key’s expiry time period, notification period, and time-to-live (TTL) parameters. If you change the expiry time period of a key, the appliance automatically re-signs all the resource records in the zone with the key. The re-signing happens if the zone is signed with the particular key.

Configure a key by using the CLI

At the command prompt, type the following command to configure a key and verify the configuration:

-  set dns key <keyName> [-expires <positive_integer> [<units>]] [-notificationPeriod <positive_integer> [<units>]] [-TTL <secs>]
-  show dns key [<keyName>]
<!--NeedCopy-->

Example:

> set dns key example.com.ksk -expires 30 DAYS -notificationPeriod 3 DAYS -TTL 3600
 Done
> show dns key example.com.ksk
1)      Key Name: example.com.ksk
        Expires: 30 DAYS        Notification: 3 DAYS    TTL: 3600
        Public Key File: example.com.ksk.rsasha1.4096.key
        Private Key File: example.com.ksk.rsasha1.4096.private
 Done
<!--NeedCopy-->

Configure a key by using the GUI

  1. Navigate to Traffic Management > DNS > Keys.

  2. In the details pane, click the key that you want to configure, and then click Open.

  3. In the Configure DNS Key dialog box, modify the values of the following parameters as shown:

    • Expires—expires
    • Notification Period—notificationPeriod
    • TTL—TTL
  4. Click OK.

Sign and unsign a DNS zone

To secure a DNS zone, you must sign the zone with the keys that have been published in the zone. When you sign a zone, the NetScaler creates a Next Secure (NSEC) resource record for each owner name. Then, it uses the key signing key to sign the DNSKEY resource record set. Finally, it uses the ZSK to sign all the resource record sets in the zone, including the DNSKEY resource record sets and NSEC resource record sets. Each sign operation results in a signature for the resource record sets in the zone. The signature is captured in a new resource record called the RRSIG resource record.

After you sign a zone, save the configuration.

Sign a zone by using the CLI

At the command prompt, type the following command to sign a zone and verify the configuration:

-  sign dns zone <zoneName> [-keyName <string> ...]
-  show dns zone [<zoneName> | -type (ADNS | PROXY | ALL)]
-  save config
<!--NeedCopy-->

Example:

> sign dns zone example.com -keyName example.com.zsk example.com.ksk
 Done
> show dns zone example.com
         Zone Name : example.com
         Proxy Mode : NO
         Domain Name : example.com
                 Record Types : NS SOA DNSKEY RRSIG NSEC
         Domain Name : ns1.example.com
                 Record Types : A RRSIG NSEC
         Domain Name : ns2.example.com
                 Record Types : A RRSIG
         Domain Name : ns2.example.com
                 Record Types : RRSIG NSEC
Done
> save config
 Done
<!--NeedCopy-->

Unsign a zone by using the CLI

At the command prompt, type the following command to unsign a zone and verify the configuration:

-  unsign dns zone <zoneName> [-keyName <string> ...]
-  show dns zone [<zoneName> | -type (ADNS | PROXY | ALL)]
<!--NeedCopy-->

Example:

> unsign dns zone example.com -keyName example.com.zsk example.com.ksk
 Done
> show dns zone example.com
         Zone Name : example.com
         Proxy Mode : NO
         Domain Name : example.com
                 Record Types : NS SOA DNSKEY
         Domain Name : ns1.example.com
                 Record Types : A
         Domain Name : ns2.example.com
                 Record Types : A
 Done
<!--NeedCopy-->

Sign or unsign a zone by using the GUI

  1. Navigate to Traffic Management > DNS > Zones.
  2. In the details pane, click the zone that you want to sign, and then click Sign/Unsign.
  3. In the Sign/Unsign DNS Zone dialog box, do one of the following:
    • To sign the zone, select the check boxes for the keys (zone signing key and key signing key) with which you want to sign the zone.

      You can sign the zone with more than one zone signing key or key signing key pair.

    • To unsign the zone, clear the check boxes for the keys (zone signing key and key signing key) with which you want to unsign the zone.

      You can unsign the zone with more than one zone signing key or key signing key pair.

  4. Click OK.

View the NSEC records for a given record in a zone

You can view the NSEC records that the NetScaler automatically creates for each owner name in the zone.

View the NSEC record for a given record in a zone by using the CLI

At the command prompt, type the following command to view the NSEC record for a given record in a zone:

show dns nsecRec [<hostName> | -type (ADNS | PROXY | ALL)]

Example:

> show dns nsecRec example.com
1)      Domain Name : example.com
        Next Nsec Name: ns1.example.com
        Record Types : NS SOA DNSKEY RRSIG NSEC
 Done
<!--NeedCopy-->

View the NSEC record for a given record in a zone by using the GUI

  1. Navigate to Traffic Management > DNS > Records > Next Secure Records.
  2. In the details pane, click the name of the record for which you want to view the NSEC record. The NSEC record for the record you select is displayed in the Details area.

Remove a DNS key

Remove a key from the zone in which it is published when the key has expired or if the key has been compromised. When you remove a key from the zone, the zone is automatically unsigned with the key. Removing the key with this command does not remove the key files present in the /nsconfig/dns/ directory. If the key files are no longer needed, they have to be explicitly removed from the directory.

Remove a key from the NetScaler by using the CLI

At the command prompt, type the following command to remove a key and verify the configuration:

-  rm dns key <keyName>
-  show dns key <keyName>
<!--NeedCopy-->

Example:

> rm dns key example.com.zsk
 Done
> show dns key example.com.zsk
ERROR: No such resource [keyName, example.com.zsk]

<!--NeedCopy-->

Remove a key from the NetScaler by using the GUI

  1. Navigate to Traffic Management > DNS > Keys.
  2. In the details pane, click the name of the key that you want to remove from the ADC, and then click Remove.

Revoke a DNS key

Although the key rollover is usually scheduled in advance, sometimes it becomes necessary to roll over the key immediately if the key is suspected to be compromised. In such cases, the compromised key must be phased out quickly before the new key can be activated. To ensure a smooth transition, it is recommended to keep a secondary key in a ready state, which can be activated immediately in case the key is compromised. By using the revoke key method, you can save time in activating the secondary key and removing the compromised key.

Note:

If you revoke the key it will remain in the system unless you explicitly delete it. Since the auto-rollover option is set, the system will auto-rollover the key after the configured expiration date if you do not delete it manually. During the auto-rollover process, a new key will be created for you to use based on your needs.

Enable revoke using CLI

At the command prompt type:

set dns key <keyName> [-revoke]

Example:

Set dns key secure.example.zsk -revoke

Enable revoke using GUI

  1. Navigate to Traffic Management > DNS > Keys.
  2. In the details pane, click the key that you want to configure, and then click Open.
  3. In the Configure DNS Key page, select or clear Revoke.
  4. Click Ok.

Automatic key rollover

In NetScaler, you can automate the key rollover process based on the configured frequency period. By automating the rollover process, you can rule out the chances of missing the rollover of keys. NetScaler takes care of creating keys, publishing, activating, signing, and un-signing the key, and removing the old key automatically if the automatic rollover option is enabled. Also, SNMP notification about the addition, activation, and removal of the old key is sent.

Note:

If the zone transfer parameter is enabled in GSLB sites, the rollover keys are transferred to all the GSLB sites.

If you are upgrading from a build that doesn’t support the zone transfer to one that supports it, enable the rollover feature for an existing key. Before enabling the key rollover option, ensure that the key has not expired.

Configure automatic key rollover using CLI

At the command prompt, type:

set dns key <keyName> [-autoRollover (ENABLED | DISABLED)] [-RolloverMethod <PrePublication | DoubleSignature | DoubleRRset>]
<!--NeedCopy-->

Example:

Set dns key secure.example.zsk – autoRollover Enabled -RolloverMethod Prepublication

Configure automatic key rollover using GUI

  1. Navigate to Traffic Management > DNS > Keys.
  2. In the details pane, click the key that you want to configure, and then click Open.
  3. In the Configure DNS Key page, update the following parameters:
    • Auto Rollover - Enable the option to automate the key rollover.
    • Rollover Method - Select a rollover method.
  4. Click Ok.

SNMP Alarm

you can enable the SNMP alarm for the DNSSEC keys events when auto-rollover is enabled. When you enable an SNMP alarm, NetScaler generates a corresponding alarm (DNSSEC-KEY-AUTOMGMT-STATUS-SUCCESS or DNSSEC-KEY-AUTOMGMT-STATUS-FAILURE) based on whether the event is successful or a failure. For example, when you create a DNSSEC Key and the create event is successful, a DNSSEC-KEY-AUTOMGMT-STATUS-SUCCESS alarm is generated.

For more information on SNMP alarm, see [Configuring the NetScaler to generate SNMP traps] (/en-us/citrix-adc/current-release/system/snmp/generating-snmp-traps-on-citrix-adc.html)

DNS Zone Transfer

To synchronize the DNSSEC keys with other DNS servers, you must enable the Zone Transfer parameter. Synchronizing the keys from one DNS server to other DNS servers in the GSLB site is possible only if the AutomaticConfigSync option is enabled. For more information on real-time synchronization, see Real-time synchronization between sites participating in GSLB. The DNS zone transfer is possible in Netscaler where GSLB is configured for each DNS server in a different location.

For more information on synchronization, see Synchronize the configuration in a GSLB setup.

The DNS zone transfer is possible in NetScaler where GSLB is configured. Ensure you configure GSLB for each DNS server in a different location.

Enable or disable zone transfer using CLI

At the command prompt, type:

set dns parameter - ZoneTransfer (ENABLED | DISABLED)

Example:

set dns parameter - ZoneTransfer ENABLED

Done
<!--NeedCopy-->

Enable or disable zone transfer using GUI

  1. Navigate to Traffic Management > DNS.
  2. In the details pane, under Settings, click Change DNS settings.
  3. In the Configure DNS Parameters page, select or clear Zone Transfer.
Configure DNSSEC