Product Documentation

Offloading DNSSEC Operations to the NetScaler ADC

Aug 31, 2016
For DNS zones for which your DNS servers are authoritative, you can offload DNSSEC operations to the NetScaler ADC. In a DNSSEC offloading deployment, a DNS server sends unsigned responses. The ADC signs the response on the fly before relaying it to the client. The ADC also caches the signed response. Apart from reducing the load on the DNS servers, offloading DNSSEC operations to the ADC gives you the following benefits:
  • You can sign records that the DNS servers generate programmatically. Such records cannot be signed by routine zone signing operations performed on the DNS servers.
  • You can serve signed responses to clients even if you have not implemented DNSSEC on your servers.

For setting up DNSSEC offloading, you must configure a DNS load balancing virtual server, configure services that represent the DNS servers, and then bind the services to the virtual server. For information about configuring a DNS load balancing virtual server, configuring services, and binding the services to the virtual server, see Configuring a DNS Zone.

You must create a zone entity on the ADC for each DNS zone whose DNSSEC operations you want to offload. For each DNS zone, you must enable the Proxy Mode and DNSSEC Offload parameters. You can optionally configure NSEC record generation for an offloaded zone. To create a DNS zone entity for DNSSEC offloading, follow the instructions in this topic.

To complete the configuration, you must generate DNS keys for the zone, add the keys to the zone, and then sign the zone with the keys. This process is the same as for normal DNSSEC. For information about creating keys, adding keys to a zone, and signing the zone, see Domain Name System Security Extensions.

After you configure DNS offloading, you must flush the DNS cache on the ADC. Flushing the DNS cache ensures that any unsigned records in the cache are removed and subsequently replaced by signed records. For information about flushing the DNS cache, see Enabling Caching of DNS Records.

Note: DNSSEC offloading is supported on all NetScaler MPX platforms, except the NetScaler MPX 9700/10500/12500/15500 FIPS platform. The feature is also supported on NetScaler virtual appliances hosted on NetScaler SDX platforms.

To enable DNSSEC offloading for a zone by using the command line interface

At the command line, type the following commands to enable DNSSEC offloading for a zone and verify the configuration:

  • add dns zone <zoneName> -proxyMode YES -dnssecOffload ENABLED [-nsec ( ENABLED | DISABLED )
  • show dns zone

Example

> add dns zone example.com -proxyMode YES -dnssecOffload ENABLED nsec ENABLED 
 Done 
> show dns zone example.com 
	 Zone Name : example.com 
	 Proxy Mode : YES 
	 DNSSEC Offload: ENABLED	NSEC: ENABLED 
 Done 
>

To enable DNSSEC offloading for a zone by using the configuration utility

  1. Navigate to Traffic Management > DNS > Zones.
  2. In the details pane, do one of the following:
    • To create a zone on the ADC, click Add.
    • To configure DNSSEC offloading for an existing zone, double-click the zone.
  3. In the Create DNS Zone or Configure DNS Zone dialog box, select the Proxy Mode and DNSSEC Offload check boxes.
  4. Optionally, if you want the ADC to generate NSEC records for the zone, select the NSEC check box.