-
Getting Started with NetScaler
-
Deploy a NetScaler VPX instance
-
Optimize NetScaler VPX performance on VMware ESX, Linux KVM, and Citrix Hypervisors
-
Apply NetScaler VPX configurations at the first boot of the NetScaler appliance in cloud
-
Configure simultaneous multithreading for NetScaler VPX on public clouds
-
Install a NetScaler VPX instance on Microsoft Hyper-V servers
-
Install a NetScaler VPX instance on Linux-KVM platform
-
Prerequisites for installing NetScaler VPX virtual appliances on Linux-KVM platform
-
Provisioning the NetScaler virtual appliance by using OpenStack
-
Provisioning the NetScaler virtual appliance by using the Virtual Machine Manager
-
Configuring NetScaler virtual appliances to use SR-IOV network interface
-
Configure a NetScaler VPX on KVM hypervisor to use Intel QAT for SSL acceleration in SR-IOV mode
-
Configuring NetScaler virtual appliances to use PCI Passthrough network interface
-
Provisioning the NetScaler virtual appliance by using the virsh Program
-
Provisioning the NetScaler virtual appliance with SR-IOV on OpenStack
-
Configuring a NetScaler VPX instance on KVM to use OVS DPDK-Based host interfaces
-
-
Deploy a NetScaler VPX instance on AWS
-
Deploy a VPX high-availability pair with elastic IP addresses across different AWS zones
-
Deploy a VPX high-availability pair with private IP addresses across different AWS zones
-
Protect AWS API Gateway using the NetScaler Web Application Firewall
-
Configure a NetScaler VPX instance to use SR-IOV network interface
-
Configure a NetScaler VPX instance to use Enhanced Networking with AWS ENA
-
Deploy a NetScaler VPX instance on Microsoft Azure
-
Network architecture for NetScaler VPX instances on Microsoft Azure
-
Configure multiple IP addresses for a NetScaler VPX standalone instance
-
Configure a high-availability setup with multiple IP addresses and NICs
-
Configure a high-availability setup with multiple IP addresses and NICs by using PowerShell commands
-
Deploy a NetScaler high-availability pair on Azure with ALB in the floating IP-disabled mode
-
Configure a NetScaler VPX instance to use Azure accelerated networking
-
Configure HA-INC nodes by using the NetScaler high availability template with Azure ILB
-
Configure a high-availability setup with Azure external and internal load balancers simultaneously
-
Configure a NetScaler VPX standalone instance on Azure VMware solution
-
Configure a NetScaler VPX high availability setup on Azure VMware solution
-
Configure address pools (IIP) for a NetScaler Gateway appliance
-
Deploy a NetScaler VPX instance on Google Cloud Platform
-
Deploy a VPX high-availability pair on Google Cloud Platform
-
Deploy a VPX high-availability pair with external static IP address on Google Cloud Platform
-
Deploy a single NIC VPX high-availability pair with private IP address on Google Cloud Platform
-
Deploy a VPX high-availability pair with private IP addresses on Google Cloud Platform
-
Install a NetScaler VPX instance on Google Cloud VMware Engine
-
-
Solutions for Telecom Service Providers
-
Load Balance Control-Plane Traffic that is based on Diameter, SIP, and SMPP Protocols
-
Provide Subscriber Load Distribution Using GSLB Across Core-Networks of a Telecom Service Provider
-
Authentication, authorization, and auditing application traffic
-
Basic components of authentication, authorization, and auditing configuration
-
Web Application Firewall protection for VPN virtual servers and authentication virtual servers
-
On-premises NetScaler Gateway as an identity provider to Citrix Cloud
-
Authentication, authorization, and auditing configuration for commonly used protocols
-
Troubleshoot authentication and authorization related issues
-
-
-
-
-
-
Configure DNS resource records
-
Configure NetScaler as a non-validating security aware stub-resolver
-
Jumbo frames support for DNS to handle responses of large sizes
-
Caching of EDNS0 client subnet data when the NetScaler appliance is in proxy mode
-
Use case - configure the automatic DNSSEC key management feature
-
Use Case - configure the automatic DNSSEC key management on GSLB deployment
-
-
-
Persistence and persistent connections
-
Advanced load balancing settings
-
Gradually stepping up the load on a new service with virtual server–level slow start
-
Protect applications on protected servers against traffic surges
-
Retrieve location details from user IP address using geolocation database
-
Use source IP address of the client when connecting to the server
-
Use client source IP address for backend communication in a v4-v6 load balancing configuration
-
Set a limit on number of requests per connection to the server
-
Configure automatic state transition based on percentage health of bound services
-
-
Use case 2: Configure rule based persistence based on a name-value pair in a TCP byte stream
-
Use case 3: Configure load balancing in direct server return mode
-
Use case 6: Configure load balancing in DSR mode for IPv6 networks by using the TOS field
-
Use case 7: Configure load balancing in DSR mode by using IP Over IP
-
Use case 10: Load balancing of intrusion detection system servers
-
Use case 11: Isolating network traffic using listen policies
-
Use case 12: Configure Citrix Virtual Desktops for load balancing
-
Use case 13: Configure Citrix Virtual Apps and Desktops for load balancing
-
Use case 14: ShareFile wizard for load balancing Citrix ShareFile
-
Use case 15: Configure layer 4 load balancing on the NetScaler appliance
-
-
-
-
-
Authentication and authorization for System Users
-
-
-
Configuring a CloudBridge Connector Tunnel between two Datacenters
-
Configuring CloudBridge Connector between Datacenter and AWS Cloud
-
Configuring a CloudBridge Connector Tunnel Between a Datacenter and Azure Cloud
-
Configuring CloudBridge Connector Tunnel between Datacenter and SoftLayer Enterprise Cloud
-
Configuring a CloudBridge Connector Tunnel Between a NetScaler Appliance and Cisco IOS Device
-
CloudBridge Connector Tunnel Diagnostics and Troubleshooting
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Zone maintenance
From a DNSSEC perspective, zone maintenance involves rolling over Zone Signing Keys and Key Signing Keys when key expiry is imminent. These zone maintenance tasks can be performed manually or you can automate the process by enabling the auto rollover feature. When automated, the zone is re-signed automatically. However, manual intervention is required to update the DS record in the parent zone.
Re-sign an updated zone
When a zone is updated (add a record or modify an existing record), the appliance automatically re-signs the new (or modified) record. If a zone contains multiple zone signing keys, the appliance re-signs the new (or modified) record with the key used to sign the zone.
Zone Transfer in GSLB
Updating a DNS key in all the GSLB sites can be a time-consuming process, and there is a possibility of missing an update in one or more GSLB sites. To prevent this occurrence, you can use the zone transfer option to synchronize the DNS keys in other GSLB sites after updating it in one DNS server. When the zone transfer is enabled, all the DNS configuration records related to all the zones are synced to other GSLB sites.
Note:
Zone or DNSSEC setting is optional for GSLB domains.
To configure the zone transfer, see Configure DNSSEC.
Roll over DNSSEC keys
Note: Manually or automatically roll over the DNSSEC keys (KSK, ZSK) before they expire.
On the NetScaler, you can use the prepublish and double signature methods to perform a rollover of the Zone Signing Key and Key Signing Key. More information about these two rollover methods is available in RFC 4641, “DNSSEC Operational Practices.”
The following topics map commands on the ADC to the steps in the rollover procedures discussed in RFC 4641.
The key expiry notification is sent through an SNMP trap called dnskeyExpiry. Three MIB variables, dnskeyName, dnskeyTimeToExpire, and dnskeyUnitsOfExpiry are sent along with the dnskeyExpiry SNMP trap. For more information, see NetScaler SNMP OID Reference at NetScaler 12.0 SNMP OID Reference. This SNMP alarm is sent only when automatic key rollover option is not enabled.
Automatic key rollover
Automating the key rollover eliminates the need to keep track of the key expiry date and the chances of missing the rollover of keys. When creating a new key, you can automate the key rollover process on a scheduled date. To configure an automatic key rollover, see Configure DNSSEC.
Prepublish key rollover
RFC 4641, “DNSSEC Operational Practices” defines four stages for the prepublish-key rollover method: initial, new DNSKEY, new RRSIGs, and DNSKEY removal. Each stage is associated with a set of tasks that you must perform on the ADC. Following are the descriptions of each stage and the tasks that you must perform. The rollover procedure described here can be used for both Key Signing Keys and Zone Signing Keys.
-
Stage 1: Initial. The zone contains only those key sets with which the zone has currently been signed. The state of the zone in the initial stage is the state of the zone just before you begin the key rollover process.
Example:
Consider the key, example.com.zsk1, with which the zone example.com is signed. The zone contains only those RRSIGs generated by the example.com.zsk1 key, which is due for expiry. The Key Signing Key is example.com.ksk1.
-
Stage 2: New DNSKEY. A new key is created and published in the zone. That is, the key is added to the ADC, but the zone is not signed with the new key until the pre-roll phase is complete. In this stage, the zone contains the old key, the new key, and the RRSIGs generated by the old key. Publishing the new key for the complete duration of the pre-roll phase gives the DNSKEY resource record corresponding to the new key time to propagate to the secondary name servers.
Example:
A new key example.com.zsk2 is added to the example.com zone. The zone is not signed with example.com.zsk2 until the pre-roll phase is complete. The example.com zone contains DNSKEY resource records for both example.com.zsk1 and example.com.zsk2.
NetScaler commands:
Perform the following tasks on NetScaler:
-
Create a DNS key by using the
create dns keycommand.For more information about creating a DNS key, including an example, see Create DNS keys for a zone.
-
Publish the new DNS key in the zone by using the
add dns keycommand.For more information about publishing the key in the zone, including an example, see Publish a DNS key in a zone.
-
-
Stage 3: New RRSIGs. The zone is signed with the new DNS key and then unsigned with the old DNS key. The old DNS key is not removed from the zone and remains published until the RRSIGs generated by the old key expire.
Example:
The zone is signed with example.com.zsk2 and then unsigned with example.com.zsk1. The zone continues to publish example.com.zsk1 until the RRSIGs generated by example.com.zsk1 expire.
NetScaler commands:
Perform the following tasks on NetScaler:
- Sign the zone with the new DNS key by using the
sign dns zonecommand. - Unsign the zone with the old DNS key by using the
unsign dns zonecommand.
For more information about signing and unsigning a zone, including examples, see Sign and unsign a DNS zone.
- Sign the zone with the new DNS key by using the
-
Stage 4: DNSKEY Removal. When the RRSIGs generated by the old DNS key expire, the old DNS key is removed from the zone.
Example:
The old DNS key example.com.zsk1 is removed from the example.com zone.
NetScaler commands
On the ADC, you remove the old DNS key by using the
rm dns keycommand. For more information about removing a key from a zone, including an example, see Remove a DNS key.
Double signature key rollover
RFC 4641, “DNSSEC Operational Practices” defines three stages for double signature key rollover: initial, new DNSKEY, and DNSKEY removal. Each stage is associated with a set of tasks that you must perform on the ADC. Following are the descriptions of each stage and the tasks that you must perform. The rollover procedure described here can be used for both Key Signing Keys and Zone Signing Keys.
-
Stage 1: Initial. The zone contains only those key sets with which the zone has currently been signed. The state of the zone in the initial stage is the state of the zone just before you begin the key rollover process.
Example:
Consider the key, example.com.zsk1, with which the zone example.com is signed. The zone contains only those RRSIGs generated by the example.com.zsk1 key, which is due for expiry. The Key Signing Key is example.com.ksk1.
-
Stage 2: New DNSKEY. The new key is published in the zone and the zone is signed with the new key. The zone contains the RRSIGs that are generated by the old and the new keys. The minimum duration for which the zone must contain both sets of RRSIGs is the time required for all the RRSIGs to expire.
Example:
A new key example.com.zsk2 is added to the example.com zone. The zone is signed with example.com.zsk2. The example.com zone now contains the RRSIGs generated from both keys.
NetScaler commands
Perform the following tasks on NetScaler:
-
Create a DNS key by using the
create dns keycommand.For more information about creating a DNS key, including an example, see Create DNS keys for a zone.
-
Publish the new key in the zone by using the
add dns keycommand.For more information about publishing the key in the zone, including an example, see Publish a DNS key in a zone.
-
Sign the zone with the new key by using the
sign dns zonecommand.For more information about signing a zone, including examples, see Sign and unsign a DNS zone.
-
-
Stage 3: DNSKEY Removal. When the RRSIGs generated by the old DNS key expire, the old DNS key is removed from the zone.
Example:
The old DNS key example.com.zsk1 is removed from the example.com zone.
NetScaler commands:
On NetScaler, you remove the old DNS key by using the
rm dns keycommand.For more information about removing a key from a zone, including an example, see Remove a DNS key.
Double-RRset
RFC 7583, “DNSSEC Key Rollover Timing Considerations” defines three stages for double rrset rollover: initial, new DNSKEY, and DNSKEY removal. Each stage is associated with a set of tasks that you must perform on NetScaler. Following are the descriptions of each stage and the tasks that you must perform. The rollover procedure described here is used for Key Signing Keys.
-
Stage 1: Initial. The zone contains only those key sets and records with which the zone has currently been signed. The state of the zone in the initial stage is the state of the zone just before you begin the key rollover process.
Example:
Consider the key, example.com.zsk1, and key.example.com.ksk1, with which the zone example.com and DNSSEC Key are signed respectively. The zone contains only those DNSKEY RRSIGs generated by the example.com.ksk1 key, that are due for expiry.
-
Stage 2: New DNSKEY. New DNSKEY. The new KSK key is created, and published in the zone. Two DNSSEC Keys and RRSig are available in the zone, one created by old key and one by new key. Update the new DS record in the parent zone. Now, the parent zone has two DS records one for the newly created key and one for the old key.
Note:
It might take some time for the DS record to become available in the parent zone.
The zone contains the RRSIGs that are generated by the old and the new keys. In order for the zone to contain both sets of RRSIGs, it is necessary to wait for the expiry of all RRSIGs, which is the TTL value for the DNSKEY record. Additionally, you must consider the propagation delay in the case of DNS hierarchy. Example:
A new key example.com.ksk2 is added to the example.com zone. The zone is signed with example.com.ksk2. The example.com zone now contains the RRSIGs generated from both keys.
**NetScaler commands**
Perform the following tasks on NetScaler:
- Create a DNS key by using the `create dns key` command.
For more information about creating a DNS key, including an example, see [Create DNS keys for a zone](/en-us/citrix-adc/current-release/dns/dnssec/configure-dnssec.html).
- Publish the new key in the zone by using the `add dns key` command.
For more information about publishing the key in the zone, including an example, see [Publish a DNS key in a zone](/en-us/citrix-adc/current-release/dns/dnssec/configure-dnssec.html).
- Sign the zone with the new key by using the `sign dns zone` command.
For more information about signing a zone, including examples, see [Sign and unsign a DNS zone](/en-us/citrix-adc/current-release/dns/dnssec/configure-dnssec.html).
-
Stage 3: Unsign zone with old key.
Once sufficient time has elapsed for the new DNSSEC key to be cached in resolvers, zone can be unsigned with old key.
Unsign the zone with the old key by using the
unsign dns zonecommand.For more information about unsigning a zone, including examples, see Sign and unsign a DNS zone.
-
Stage 4: DNSKEY Removal. When the RRSIGs generated by the old DNS key expire, the old DNS key is removed from the zone.
Note:
Ensure that you have unsigned the zone before deleting the key.
**Example:**
The old DNS key example.com.ksk1 is removed from the example.com zone.
**NetScaler commands:**
On the ADC, you remove the old DNS key by using the `rm dns key` command. For more information about removing a key from a zone, including an example, see [Remove a DNS key](/en-us/citrix-adc/current-release/dns/dnssec/configure-dnssec.html).
Share
Share
In this article
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.