Product Documentation

Configuring DNSSEC When the NetScaler ADC is Authoritative for a Zone

Aug 31, 2016

When the Citrix® NetScaler® ADC is authoritative for a given zone, all the resource records in the zone are configured on the ADC. To sign the authoritative zone, you must create keys (the Zone Signing Key and the Key Signing Key) for the zone, add the keys to the ADC, and then sign the zone, as described in Creating DNS Keys for a Zone, Publishing a DNS Key in a Zone, and Signing and Unsigning a DNS Zone, respectively.

If any global server load balancing (GSLB) domains configured on the ADC belong to the zone being signed, the GSLB domain names are signed along with the other records that belong to the zone.

After you sign a zone, responses to requests from DNSSEC-aware clients include the RRSIG resource records along with the requested resource records. DNSSEC must be enabled on the ADC. For more information about enabling DNSSEC, see Enabling and Disabling DNSSEC.

Finally, after you configure DNSSEC for the authoritative zone, you must save the NetScaler configuration.