Enable DNS SEC for a netscaler NON-GSLB / GSLB DNS configuration

Enable DNS SEC for a netscaler NON-GSLB / GSLB DNS configuration

Now a days you want to verify if a DNS zone is secure and verified correctly with DNS sec. This is how you do it on a Netscaler if you ever wondered :-).

Verify that the DNS SEC extention is enabled :

>show dns parameter
DNSEC Extension: ENABLED
Done
>

if you want to disable DNS SEC :

>set dns parameter -dnssec DISABLED (is enabled by default)

// side-step for non-gslb zones on a netscaler
NON-GSLB — Create a zone that is running in DNS on the netscaler (just plain DNS / no-gslb) :
For this example I’m going to assume you are using GSLB. (use proxymode NO for normal DNS zones, unless you are not Authoritative, then YES)

>add dns zone gslb.domain.com -proxyMode NO

GSLB — Create a zone that is running in GSLB on the netscaler (else you can not sign the zone that is configured in GSLB) :

>add dns zone gslb.domain.com -proxyMode YES

Create a DNS key for the zone :

>create dns key -zoneName gslb.domain.com -keyType zsk -algorithm RSASHA1 -keySize 1024 -fileNamePrefix gslb.domain.com.zsk.rsasha1.1024

>create dns key -zoneName gslb.domain.com -keyType ksk -algorithm RSASHA1 -keySize 4096 -fileNamePrefix gslb.domain.com.ksk.rsasha1.4096

Publish the key you created in the zone you want to sign :

>add dns key gslb.domain.com.zsk gslb.domain.com.zsk.rsasha1.1024.key gslb.domain.com.zsk.rsasha1.1024.private

 

>add dns key gslb.domain.com.ksk gslb.domain.com.ksk.rsasha1.4096.key gslb.domain.com.ksk.rsasha1.4096.private

Sign the zone :

>sign dns zone gslb.domain.com -keyName gslb.domain.com.zsk gslb.domain.com.ksk

Verify if the zone is signed :

>show dns zone gslb.domain.com
Zone Name : gslb.domain.com
Proxy Mode : YES
Domain Name : gslb.domain.com
Record Types : NS SOA DNSKEY
>

View and verify the NSEC record for a zone :

>show dns nsecRec gslb.domain.com

Verify with DIG :

dig gslb.domain.com +dnssec +multi @ns01.domain-ns-server.com

Set a longer expiry time on the key (default is 30 days if I remember correctly) :

set dns key gslb.domain.com.ksk -expires 365 DAYS -notificationPeriod 30 DAYS -TTL 3600

Leave a Reply

Your email address will not be published. Required fields are marked *

15 − five =

This site uses Akismet to reduce spam. Learn how your comment data is processed.