Enable DNS SEC for a netscaler NON-GSLB / GSLB DNS configuration
- Angelo Schalley
- Mar, 27, 2018
- Certificates, DNS, Netscaler, Networking, security
- No Comments
Now a days you want to verify if a DNS zone is secure and verified correctly with DNS sec. This is how you do it on a Netscaler if you ever wondered :-).
Verify that the DNS SEC extention is enabled :
>show dns parameter
DNSEC Extension: ENABLED
Done
>
if you want to disable DNS SEC :
>set dns parameter -dnssec DISABLED (is enabled by default)
// side-step for non-gslb zones on a netscaler
NON-GSLB — Create a zone that is running in DNS on the netscaler (just plain DNS / no-gslb) :
For this example I’m going to assume you are using GSLB. (use proxymode NO for normal DNS zones, unless you are not Authoritative, then YES)
>add dns zone gslb.domain.com -proxyMode NO
GSLB — Create a zone that is running in GSLB on the netscaler (else you can not sign the zone that is configured in GSLB) :
>add dns zone gslb.domain.com -proxyMode YES
Create a DNS key for the zone :
>create dns key -zoneName gslb.domain.com -keyType zsk -algorithm RSASHA1 -keySize 1024 -fileNamePrefix gslb.domain.com.zsk.rsasha1.1024
>create dns key -zoneName gslb.domain.com -keyType ksk -algorithm RSASHA1 -keySize 4096 -fileNamePrefix gslb.domain.com.ksk.rsasha1.4096
Publish the key you created in the zone you want to sign :
>add dns key gslb.domain.com.zsk gslb.domain.com.zsk.rsasha1.1024.key gslb.domain.com.zsk.rsasha1.1024.private
>add dns key gslb.domain.com.ksk gslb.domain.com.ksk.rsasha1.4096.key gslb.domain.com.ksk.rsasha1.4096.private
Sign the zone :
>sign dns zone gslb.domain.com -keyName gslb.domain.com.zsk gslb.domain.com.ksk
Verify if the zone is signed :
>show dns zone gslb.domain.com
Zone Name : gslb.domain.com
Proxy Mode : YES
Domain Name : gslb.domain.com
Record Types : NS SOA DNSKEY
>
View and verify the NSEC record for a zone :
>show dns nsecRec gslb.domain.com
Verify with DIG :
dig gslb.domain.com +dnssec +multi @ns01.domain-ns-server.com
Set a longer expiry time on the key (default is 30 days if I remember correctly) :
set dns key gslb.domain.com.ksk -expires 365 DAYS -notificationPeriod 30 DAYS -TTL 3600