ADC

Configure Citrix ADC as a non-validating security aware stub-resolver

Starting with Citrix ADC 12.1 build 49.xx, Citrix ADC acts as anon-validating security aware stub-resolver. To enable this support, the AD bit is set in the DNS header and the DO bit is unset in the OPT header. When the AD bit is set and DO bit is unset, the upstream recursive resolver validates the DNSSEC response. If the validation is successful, the recursive resolver responds without DNSSEC RRs. If the DNSSEC validation fails, then the recursive resolver returns with a SERVFAIL response.

Important: The AD bit is set by default in the ADC forwarder. The AD bit is not set for DBS initiated queries.

Configure Citrix ADC as a non-validating security aware stub-resolver