Configure DNSSEC when the NetScaler is authoritative for a zone

When the NetScaler ADC is authoritative for a given zone, all the resource records in the zone are configured on the ADC. To sign the authoritative zone, you must create keys (the Zone Signing Key and the Key Signing Key) for the zone, add the keys to the ADC, and then sign the zone, as described in Create DNS keys for a zonePublish a DNS key in a zone, and Sign and unsign a DNS zone, respectively.

If any global server load balancing (GSLB) domains configured on the ADC belong to the zone being signed, the GSLB domain names are signed along with the other records that belong to the zone.

After you sign a zone, responses to requests from DNSSEC-aware clients include the RRSIG resource records along with the requested resource records. DNSSEC must be enabled on the ADC. For more information about enabling DNSSEC, see Enable and disable DNSSEC.

Finally, after you configure DNSSEC for the authoritative zone, you must save the NetScaler configuration.