When the Citrix® NetScaler® ADC is authoritative for a given zone, all the resource records in the zone are configured on the ADC. To sign the authoritative zone, you must create keys (the Zone Signing Key and the Key Signing Key) for the zone, add the keys to the ADC, and then sign the zone, as described in Creating DNS Keys for a Zone, Publishing a DNS Key in a Zone, and Signing and Unsigning a DNS Zone, respectively.
If any global server
load balancing (GSLB) domains configured on the ADC belong to the zone being
signed, the GSLB domain names are signed along with the other records that
belong to the zone.
After you sign a zone, responses to requests from DNSSEC-aware clients include the RRSIG resource records along with the requested resource records. DNSSEC must be enabled on the ADC. For more information about enabling DNSSEC, see Enabling and Disabling DNSSEC.
Finally, after you
configure DNSSEC for the authoritative zone, you must save the NetScaler