This document contains information about configuring Domain Name System Security Extensions (DNSSEC) on a NetScaler appliance.

Background

NetScaler software release 9.1 and earlier did not support DNSSEC and the Extension mechanism for DNS (EDNS) flag. NetScaler software release 9.2e and later support DNSSEC to secure Domain Name System (DNS) responses sent from a NetScaler appliance. Therefore, the appliance can process UDP responses that are more than 512 bytes in size. DNSSEC helps limit the attacks, such as cache poisoning, and preserve authenticity and integrity of the DNS response. Traditionally, all DNS responses that need authentication had to move from UDP to TCP. This results in additional TCP handshake and slow responses.

The NetScaler software release 9.2e and later supports DNSSEC in Authoritative Domain Naming System (ADNS) as well as DNS proxy modes.

Instructions

To configure DNSSEC on a NetScaler appliance in the ADNS mode, complete the following procedure:

Step A: Create SOA and Name Server record for the ADNS domain on the appliance. Complete the following procedure to add the records:

1. Expand the DNS node of the Navigation pane in the Configuration utility of the appliance.

2. Expand the Records node.

3. Select the SOA Records node.

4. Click Add on the SOA Records page.

5. Type the required details in the Create SOA Record dialog box, as shown in the following screenshot:

   

6. Click Create.

7. Click Close.

8. Select the Name Server Records node in the Navigation pane.

9. Click Add in the Name Server Records page.

10. Type the required details in the Create Name Server Record dialog box, as shown in the following screenshot:

    

11. Click Create.

12. Click Close.

Step B: Create DNS zone for domain example.com. Complete the following procedure to add the domain:

1. Expand the System node.

2. Expand the DNS node.

3. Select the Zones node.

4. Click Add in the Zones page.

5. Type the DNS zone in the DNS Zone field, as shown in the following screen shot:

   

6. Click Create.

7. Click Close.

Step C: Create the DNS Zone Signing keys and Key signing keys.

1. Expand the System node.

2. Select the DNS node.

3. Click the Create DNS Key link in the DNS page.

4. Type the zone name in the Zone Name field in the Create DNS Key dialog box.

5. Select ZSK (Zone Signing Key) from the Type list, as shown in the following screenshot:

   

6. Click Create.

7. Click Close.

8. Repeat steps from 1 to 7 but this time, instead of ZSK in step 5, select KSK (Key Signing Key) and be sure to add a different name under “File Name Prefix”.

   

Step D:

1. Select Keys node in the Navigation pane.

2. Click Add in the Keys page.

3. Type the DNS key name in the DNS Key Name field in the Add DNS Key dialog box.

4. Click Browse (Appliance) and choose a .key file for the Public Key field.

5. Click Browse (Appliance) and choose a .private file for the Private Key field.

   

6. Click Create.

7. Click Close.

8. Repeat steps 1 to 7 and add KSK key files as well.

   

Step E: Sign the zone using the keys created. Complete the following sub-procedure to sign the zone:

1. Expand the DNS node.

2. Select the Zones node.

3. Select the required zone and click Sign/Unsign, as shown in the following screen shot:

   

4. Enable the example.com option, as shown in the following screen shot:

   

5. Click OK.

6. Follow the same step to sign with the KSK Key as well.

Testing

dig @10.217.145.233 example.com
; <<>> DiG 9.6.1-P3 <<>> @10.217.145.233 example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45265
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;example.com.           IN      A
;; ANSWER SECTION:
example.com.    3600    IN      A       1.2.3.4
;; Query time: 0 msec
;; SERVER: 10.217.145.233#53(10.217.145.233)
;; WHEN: Wed Mar  2 09:53:02 2011
;; MSG SIZE  rcvd: 53

Run the following command to lookup for DNS name server using DNSSEC option:

dig @10.217.145.233 example.com +dnssec
; <<>> DiG 9.6.1-P3 <<>> @10.217.145.233 example.com +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37593
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1280
;; QUESTION SECTION:
; example.com.           IN      A
;; ANSWER SECTION:
example.com.    3600    IN      A       1.2.3.4
example.com.    3600    IN      RRSIG   A 5 2 3600 20110630225325 20110302225325 47820 example.com. o1ZgUb+Q4iszVYIqd/j7alqxZpkIkRP8g6PwgVDt8LjW1BzDYOCbdNpk 0k47gAhSTFR95NKYXv2ofdNFkaQcVA==
;; Query time: 0 msec
;; SERVER: 10.217.145.233#53(10.217.145.233)
;; WHEN: Wed Mar  2 09:53:14 2011
;; MSG SIZE  rcvd: 179

Troubleshooting

Using any available online tools check and make sure DNSSEC responses are given out correctly. Here are some common issues that you might run into and troubleshooting steps:

1. “no DS record found for example.com in the com zone”
   This means, the DS files that were created automatically in Steps C has not been submitted to parent com zone. Each parent zone(com, gov etc) has its specific method of accepting .DS, please follow them accordingly.

2. “no RRSIGs found”
   This means the ZSK has not signed the zone.

To submit .ds files to gov zone, click here.