For setting up DNSSEC offloading, you must configure a DNS load balancing virtual server, configure services that represent the DNS servers, and then bind the services to the virtual server. For information about configuring a DNS load balancing virtual server, configuring services, and binding the services to the virtual server, see Configuring a DNS Zone.
You must create a zone entity on the ADC for each DNS zone whose DNSSEC operations you want to offload. For each DNS zone, you must enable the Proxy Mode and DNSSEC Offload parameters. You can optionally configure NSEC record generation for an offloaded zone. To create a DNS zone entity for DNSSEC offloading, follow the instructions in this topic.
To complete the configuration, you must generate DNS keys for the zone, add the keys to the zone, and then sign the zone with the keys. This process is the same as for normal DNSSEC. For information about creating keys, adding keys to a zone, and signing the zone, see Domain Name System Security Extensions.
After you configure DNS offloading, you must flush the DNS cache on the ADC. Flushing the DNS cache ensures that any unsigned records in the cache are removed and subsequently replaced by signed records. For information about flushing the DNS cache, see Enabling Caching of DNS Records.
At the command line, type the following commands to enable DNSSEC offloading for a zone and verify the configuration:
> add dns zone example.com -proxyMode YES -dnssecOffload ENABLED nsec ENABLED Done > show dns zone example.com Zone Name : example.com Proxy Mode : YES DNSSEC Offload: ENABLED NSEC: ENABLED Done >