ADC

Offload DNSSEC operations to the Citrix ADC

For DNS zones for which your DNS servers are authoritative, DNSSEC operations can be offloaded to the ADC appliance. In a DNSSEC offloading deployment, a DNS server sends unsigned responses. The ADC signs the response dynamically before relaying it to the client. The ADC also caches the signed response. Apart from reducing the load on the DNS servers, offloading DNSSEC operations to the ADC gives you the following benefits:

  • You can sign records that the DNS servers generate programmatically. Such records cannot be signed by routine zone signing operations performed on the DNS servers.
  • You can serve signed responses to clients even if you have not implemented DNSSEC on your servers.

For setting up DNSSEC offloading, you must configure a DNS load balancing virtual server, configure services that represent the DNS servers, and then bind the services to the virtual server. For information about configuring a DNS load balancing virtual server, configuring services, and binding the services to the virtual server, see Configure a DNS zone.

Create a zone entity on the ADC for each DNS zone whose DNSSEC operations you want to offload. For each DNS zone, you must enable the Proxy Mode and DNSSEC Offload parameters. You can optionally configure NSEC record generation for an offloaded zone. To create a DNS zone entity for DNSSEC offloading, follow the instructions in this topic.

To complete the configuration, you must generate DNS keys for the zone, add the keys to the zone, and then sign the zone with the keys. This process is the same as for normal DNSSEC. For information about creating keys, adding keys to a zone, and signing the zone, see Domain name system security extensions.

After you configure DNS offloading, you must flush the DNS cache on the Citrix ADC. Flushing the DNS cache ensures that any unsigned records in the cache are removed and then replaced by signed records. For information about flushing the DNS cache, see Flush DNS records.

Enable DNSSEC offloading for a zone by using the CLI

At the command line, type the following commands to enable DNSSEC offloading for a zone and verify the configuration:

-  add dns zone <zoneName> -proxyMode YES -dnssecOffload ENABLED [-nsec ( ENABLED | DISABLED )
-  show dns zone
<!--NeedCopy-->

Example:

> add dns zone example.com -proxyMode YES -dnssecOffload ENABLED nsec ENABLED
 Done
> show dns zone example.com
     Zone Name : example.com
     Proxy Mode : YES
     DNSSEC Offload: ENABLED    NSEC: ENABLED
 Done
<!--NeedCopy-->

Enable DNSSEC offloading for a zone by using the GUI

  1. Navigate to Traffic Management > DNS > Zones.
  2. In the details pane, do one of the following:
    • To create a zone on the Citrix ADC, click Add.
    • To configure DNSSEC offloading for an existing zone, double-click the zone.
  3. In the Create DNS Zone or Configure DNS Zone dialog box, select the Proxy Mode and DNSSEC Offload check boxes.
  4. Optionally, if you want the Citrix ADC to generate NSEC records for the zone, select the NSEC check box.
Offload DNSSEC operations to the Citrix ADC