DNSSEC security recommendations
We recommend that the following recommendations are applied for customers using DNSSEC:
Use RSA 1024 bits or higher for KSK/ZSK private keys
NIST recommends that DNS administrators maintain 1024-bit RSA/SHA-1 or RSA/SHA-256 ZSKs until 01 October 2015.
Enable SNMP alarm for DNSSEC key expiration
By default, the SNMP alarm for DNSSEC key expiration is enabled on NetScaler. The key expiry notification is sent through an SNMP trap called dnskeyExpiry. Three MIB variables, dnskeyName
, and dnskeyUnitsOfExpiry
, are sent along with the dnskeyExpiry
SNMP trap. For more information, see the NetScaler SNMP OID Reference.
Roll over KSK/ZSK private keys before the x.509 certificate expires
On NetScaler, you can use the pre-publish and double signature methods to perform a rollover of the Zone Signing Key and Key Signing Key. For more information, see the Domain Name System > Configuring DNSSEC topic on the NetScaler Docs.
Secure DNSSEC ADNS server
If NetScaler is configured in DNSSEC proxy mode, it caches the responses from the back-end ADNS server and forwards the cached responses to the DNS clients.
When NetScaler is authoritative for a given zone, all the resource records in the zone are configured on NetScaler. To sign the authoritative zone, you must create the keys (the Zone Signing Key and the Key Signing Key) for the zone, add the keys to NetScaler, and then sign the zone.
To configure NetScaler as an authoritative server, perform the following steps:
-
Add an ADNS service.
For example:
add service s1 <ip address> adns 53` <!--NeedCopy-->
-
Create DNS keys.
For example, to act as an authoritative server for the
com
domain:create dns key -zoneName com -keytype ksK -algorithm rsASHA512 -keysize 3000 -fileNamePrefix com.ksk.rsasha1.3000 create dns key -zoneName com -keytype zsk -algorithm rsASHA512 -keysize 3000 -fileNamePrefix com.zsk.rsasha1.3000 <!--NeedCopy-->
Note:
You must create the DNS keys once and they are saved in /nsconfig/dns.
-
Add DNS keys.
For example,
add dns key com.zsk.3000 /nsconfig/dns/com.zsk.rsasha1.3000.key /nsconfig/dns/com.zsk.rsasha1.3000.private add dns key com.ksk.3000 /nsconfig/dns/com.ksk.rsasha1.3000.key /nsconfig/dns/com.ksk.rsasha1.3000.private <!--NeedCopy-->
-
Add NS and SOA records for the
com
zone and then sign the zone.add dns soaRec com -originServer n1.com -contact citrix add dns nsrec com n1.com add dns zone com -proxyMode no add dns addRec n1.com 1.1.1.1 sign dns zone com <!--NeedCopy-->
Note: In addition, you must also enable the DNSEC Extension parameter in the DNS global parameters.
For more information on configuring the NetScaler as an authoritative domain name server, see the Domain Name System > Configuring the NetScaler as an ADNS Server topic on the Product Documentation.