Product Documentation
NetScaler secure deployment guide
View PDF

DNSSEC security recommendations

August 20, 2024
Contributed by: 
C

We recommend that the following recommendations are applied for customers using DNSSEC:

Use RSA 1024 bits or higher for KSK/ZSK private keys

NIST recommends that DNS administrators maintain 1024-bit RSA/SHA-1 or RSA/SHA-256 ZSKs until 01 October 2015.

Enable SNMP alarm for DNSSEC key expiration

By default, the SNMP alarm for DNSSEC key expiration is enabled on NetScaler. The key expiry notification is sent through an SNMP trap called dnskeyExpiry. Three MIB variables, dnskeyName, and dnskeyUnitsOfExpiry, are sent along with the dnskeyExpiry SNMP trap. For more information, see the NetScaler SNMP OID Reference.

Roll over KSK/ZSK private keys before the x.509 certificate expires

On NetScaler, you can use the pre-publish and double signature methods to perform a rollover of the Zone Signing Key and Key Signing Key. For more information, see the Domain Name System > Configuring DNSSEC topic on the NetScaler Docs.

Secure DNSSEC ADNS server

If NetScaler is configured in DNSSEC proxy mode, it caches the responses from the back-end ADNS server and forwards the cached responses to the DNS clients.

When NetScaler is authoritative for a given zone, all the resource records in the zone are configured on NetScaler. To sign the authoritative zone, you must create the keys (the Zone Signing Key and the Key Signing Key) for the zone, add the keys to NetScaler, and then sign the zone.

To configure NetScaler as an authoritative server, perform the following steps:

  1. Add an ADNS service.

    For example:

    add service s1 <ip address> adns 53`
<!--NeedCopy-->

  2. Create DNS keys.

    For example, to act as an authoritative server for the com domain:

    create dns key -zoneName com -keytype ksK -algorithm rsASHA512 -keysize 3000 -fileNamePrefix com.ksk.rsasha1.3000

create dns key -zoneName com -keytype zsk -algorithm rsASHA512 -keysize 3000 -fileNamePrefix com.zsk.rsasha1.3000
<!--NeedCopy-->

    Note:

    You must create the DNS keys once and they are saved in /nsconfig/dns.

  3. Add DNS keys.

    For example,

    add dns key com.zsk.3000 /nsconfig/dns/com.zsk.rsasha1.3000.key /nsconfig/dns/com.zsk.rsasha1.3000.private
add dns key com.ksk.3000 /nsconfig/dns/com.ksk.rsasha1.3000.key /nsconfig/dns/com.ksk.rsasha1.3000.private
<!--NeedCopy-->

  4. Add NS and SOA records for the com zone and then sign the zone.

    add dns soaRec com -originServer n1.com -contact citrix
add dns nsrec com n1.com
add dns zone com -proxyMode no
add dns addRec n1.com 1.1.1.1

sign dns zone com
<!--NeedCopy-->

Note: In addition, you must also enable the DNSEC Extension parameter in the DNS global parameters.

For more information on configuring the NetScaler as an authoritative domain name server, see the Domain Name System > Configuring the NetScaler as an ADNS Server topic on the Product Documentation.

DNSSEC security recommendations
August 20, 2024
Contributed by: 
C
August 20, 2024
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.