ADC

Zone maintenance

From a DNSSEC perspective, zone maintenance involves rolling over Zone Signing Keys and Key Signing Keys when key expiry is imminent. These zone maintenance tasks can be performed manually or you can automate the process by enabling the auto rollover feature. When automated, the zone is re-signed automatically. However, manual intervention is required to update the DS record in the parent zone.

Re-sign an updated zone

When a zone is updated (add a record or modify an existing record), the appliance automatically re-signs the new (or modified) record. If a zone contains multiple zone signing keys, the appliance re-signs the new (or modified) record with the key used to sign the zone.

Zone Transfer in GSLB

Updating a DNS key in all the GSLB sites can be a time-consuming process, and there is a possibility of missing an update in one or more GSLB sites. To prevent this occurrence, you can use the zone transfer option to synchronize the DNS keys in other GSLB sites after updating it in one DNS server. When the zone transfer is enabled, all the DNS configuration records related to all the zones are synced to other GSLB sites.

Note:

Zone or DNSSEC setting is optional for GSLB domains.

To configure the zone transfer, see Configure DNSSEC.

Roll over DNSSEC keys

Note: Manually or automatically roll over the DNSSEC keys (KSK, ZSK) before they expire.

On the NetScaler, you can use the prepublish and double signature methods to perform a rollover of the Zone Signing Key and Key Signing Key. More information about these two rollover methods is available in RFC 4641, “DNSSEC Operational Practices.”

The following topics map commands on the ADC to the steps in the rollover procedures discussed in RFC 4641.

The key expiry notification is sent through an SNMP trap called dnskeyExpiry. Three MIB variables, dnskeyName, dnskeyTimeToExpire, and dnskeyUnitsOfExpiry are sent along with the dnskeyExpiry SNMP trap. For more information, see NetScaler SNMP OID Reference at NetScaler 12.0 SNMP OID Reference. This SNMP alarm is sent only when automatic key rollover option is not enabled.

Automatic key rollover

Automating the key rollover eliminates the need to keep track of the key expiry date and the chances of missing the rollover of keys. When creating a new key, you can automate the key rollover process on a scheduled date. To configure an automatic key rollover, see Configure DNSSEC.

Prepublish key rollover

RFC 4641, “DNSSEC Operational Practices” defines four stages for the prepublish-key rollover method: initial, new DNSKEY, new RRSIGs, and DNSKEY removal. Each stage is associated with a set of tasks that you must perform on the ADC. Following are the descriptions of each stage and the tasks that you must perform. The rollover procedure described here can be used for both Key Signing Keys and Zone Signing Keys.

  • Stage 1: Initial. The zone contains only those key sets with which the zone has currently been signed. The state of the zone in the initial stage is the state of the zone just before you begin the key rollover process.

    Example:

    Consider the key, example.com.zsk1, with which the zone example.com is signed. The zone contains only those RRSIGs generated by the example.com.zsk1 key, which is due for expiry. The Key Signing Key is example.com.ksk1.

  • Stage 2: New DNSKEY. A new key is created and published in the zone. That is, the key is added to the ADC, but the zone is not signed with the new key until the pre-roll phase is complete. In this stage, the zone contains the old key, the new key, and the RRSIGs generated by the old key. Publishing the new key for the complete duration of the pre-roll phase gives the DNSKEY resource record corresponding to the new key time to propagate to the secondary name servers.

    Example:

    A new key example.com.zsk2 is added to the example.com zone. The zone is not signed with example.com.zsk2 until the pre-roll phase is complete. The example.com zone contains DNSKEY resource records for both example.com.zsk1 and example.com.zsk2.

    NetScaler commands:

    Perform the following tasks on NetScaler:

    • Create a DNS key by using the create dns key command.

      For more information about creating a DNS key, including an example, see Create DNS keys for a zone.

    • Publish the new DNS key in the zone by using the add dns key command.

      For more information about publishing the key in the zone, including an example, see Publish a DNS key in a zone.

  • Stage 3: New RRSIGs. The zone is signed with the new DNS key and then unsigned with the old DNS key. The old DNS key is not removed from the zone and remains published until the RRSIGs generated by the old key expire.

    Example:

    The zone is signed with example.com.zsk2 and then unsigned with example.com.zsk1. The zone continues to publish example.com.zsk1 until the RRSIGs generated by example.com.zsk1 expire.

    NetScaler commands:

    Perform the following tasks on NetScaler:

    • Sign the zone with the new DNS key by using the sign dns zone command.
    • Unsign the zone with the old DNS key by using the unsign dns zone command.

    For more information about signing and unsigning a zone, including examples, see Sign and unsign a DNS zone.

  • Stage 4: DNSKEY Removal. When the RRSIGs generated by the old DNS key expire, the old DNS key is removed from the zone.

    Example:

    The old DNS key example.com.zsk1 is removed from the example.com zone.

    NetScaler commands

    On the ADC, you remove the old DNS key by using the rm dns key command. For more information about removing a key from a zone, including an example, see Remove a DNS key.

Double signature key rollover

RFC 4641, “DNSSEC Operational Practices” defines three stages for double signature key rollover: initial, new DNSKEY, and DNSKEY removal. Each stage is associated with a set of tasks that you must perform on the ADC. Following are the descriptions of each stage and the tasks that you must perform. The rollover procedure described here can be used for both Key Signing Keys and Zone Signing Keys.

  • Stage 1: Initial. The zone contains only those key sets with which the zone has currently been signed. The state of the zone in the initial stage is the state of the zone just before you begin the key rollover process.

    Example:

    Consider the key, example.com.zsk1, with which the zone example.com is signed. The zone contains only those RRSIGs generated by the example.com.zsk1 key, which is due for expiry. The Key Signing Key is example.com.ksk1.

  • Stage 2: New DNSKEY. The new key is published in the zone and the zone is signed with the new key. The zone contains the RRSIGs that are generated by the old and the new keys. The minimum duration for which the zone must contain both sets of RRSIGs is the time required for all the RRSIGs to expire.

    Example:

    A new key example.com.zsk2 is added to the example.com zone. The zone is signed with example.com.zsk2. The example.com zone now contains the RRSIGs generated from both keys.

    NetScaler commands

    Perform the following tasks on NetScaler:

    • Create a DNS key by using the create dns key command.

      For more information about creating a DNS key, including an example, see Create DNS keys for a zone.

    • Publish the new key in the zone by using the add dns key command.

      For more information about publishing the key in the zone, including an example, see Publish a DNS key in a zone.

    • Sign the zone with the new key by using the sign dns zone command.

      For more information about signing a zone, including examples, see Sign and unsign a DNS zone.

  • Stage 3: DNSKEY Removal. When the RRSIGs generated by the old DNS key expire, the old DNS key is removed from the zone.

    Example:

    The old DNS key example.com.zsk1 is removed from the example.com zone.

    NetScaler commands:

    On NetScaler, you remove the old DNS key by using the rm dns key command.

    For more information about removing a key from a zone, including an example, see Remove a DNS key.

Double-RRset

RFC 7583, “DNSSEC Key Rollover Timing Considerations” defines three stages for double rrset rollover: initial, new DNSKEY, and DNSKEY removal. Each stage is associated with a set of tasks that you must perform on NetScaler. Following are the descriptions of each stage and the tasks that you must perform. The rollover procedure described here is used for Key Signing Keys.

  • Stage 1: Initial. The zone contains only those key sets and records with which the zone has currently been signed. The state of the zone in the initial stage is the state of the zone just before you begin the key rollover process.

    Example:

    Consider the key, example.com.zsk1, and key.example.com.ksk1, with which the zone example.com and DNSSEC Key are signed respectively. The zone contains only those DNSKEY RRSIGs generated by the example.com.ksk1 key, that are due for expiry.

  • Stage 2: New DNSKEY. New DNSKEY. The new KSK key is created, and published in the zone. Two DNSSEC Keys and RRSig are available in the zone, one created by old key and one by new key. Update the new DS record in the parent zone. Now, the parent zone has two DS records one for the newly created key and one for the old key.

Note:

It might take some time for the DS record to become available in the parent zone.

The zone contains the RRSIGs that are generated by the old and the new keys. In order for the zone to contain both sets of RRSIGs, it is necessary to wait for the expiry of all RRSIGs, which is the TTL value for the DNSKEY record. Additionally, you must consider the propagation delay in the case of DNS hierarchy. Example:

A new key example.com.ksk2 is added to the example.com zone. The zone is signed with example.com.ksk2. The example.com zone now contains the RRSIGs generated from both keys.

 **NetScaler commands**

Perform the following tasks on NetScaler:

-  Create a DNS key by using the `create dns key` command.

    For more information about creating a DNS key, including an example, see [Create DNS keys for a zone](/en-us/citrix-adc/current-release/dns/dnssec/configure-dnssec.html).

-  Publish the new key in the zone by using the `add dns key` command.

    For more information about publishing the key in the zone, including an example, see [Publish a DNS key in a zone](/en-us/citrix-adc/current-release/dns/dnssec/configure-dnssec.html).

-  Sign the zone with the new key by using the `sign dns zone` command.

    For more information about signing a zone, including examples, see [Sign and unsign a DNS zone](/en-us/citrix-adc/current-release/dns/dnssec/configure-dnssec.html).
  • Stage 3: Unsign zone with old key.

    Once sufficient time has elapsed for the new DNSSEC key to be cached in resolvers, zone can be unsigned with old key.

    Unsign the zone with the old key by using the unsign dns zone command.

    For more information about unsigning a zone, including examples, see Sign and unsign a DNS zone.

  • Stage 4: DNSKEY Removal. When the RRSIGs generated by the old DNS key expire, the old DNS key is removed from the zone.

Note:

Ensure that you have unsigned the zone before deleting the key.

**Example:**

The old DNS key example.com.ksk1 is removed from the example.com zone.

**NetScaler commands:**

On the ADC, you remove the old DNS key by using the `rm dns key` command. For more information about removing a key from a zone, including an example, see [Remove a DNS key](/en-us/citrix-adc/current-release/dns/dnssec/configure-dnssec.html).
Zone maintenance