Nagaraj Harikar

Authors: Nagaraj Harikar, Dinesh Bansal In the realm of the internet infrastructure, DNSSEC (Domain Name System Security Extensions) plays a crucial role in safeguarding domain names and the associated data they point to. It employs cryptographic signatures to verify the authenticity and integrity of DNS records, preventing unauthorized modifications and protecting against DNS spoofing attacks. However, maintaining the effectiveness of DNSSEC requires regular key rollovers to ensure the continued validity of these signatures. Traditional key rollovers, often performed manually, can be a time-consuming and error-prone process. Automated DNSSEC signature rollover has emerged as a powerful and efficient solution to streamline this essential task. Understanding DNSSEC Key RolloverDNSSEC keys are employed to generate digital signatures that authenticate DNS records. These keys have a defined lifespan, and their timely renewal is essential for maintaining the integrity of DNSSEC protection. Key rollovers involve replacing the existing keys with new ones, ensuring that the cryptographic signatures remain valid and effective. Manual vs. Automated Key RolloverManual key rollovers, while effective, can be cumbersome and prone to human error. As shown in the steps below, the process involves generating new keys, updating the DNS zone, and propagating the changes across the DNS hierarchy. This manual intervention can be time-consuming and increases the risk of errors, potentially leading to disruptions in DNS resolution. Figure 1: DNSSEC Key rollover steps Steps involved in creating a new key: The first step involves creating a new cryptographic key on NetScaler. This key can be either a Zone Signing Key (ZSK) or a Key Signing Key (KSK) (create DNS key). In the second step, the newly created key is published. However, it cannot be used to sign any records (add DNS key).The published key is now active for use and is added to the zone to sign the zone (sign DNS zone).In the final step, the old key is deactivated and no longer used to sign any records (unsign DNS zone). Once the new signatures have been propagated and the old signatures are no longer needed, the old key is removed (remove DNS key). The entire process from step A to step D needs to be repeated in order to create a new ZSK or KSK. In the automated key rollover process, the steps from A to D are automated using the DNSSEC key rollover feature on NetScaler, which simplifies the key management and rollover tasks. For more information, refer to the Zone Maintenance documentation. Automatic Distribution of DNSSEC Keys in GSLB DeploymentsEarlier, if a global server load balancing (GSLB) domain was signed by a DNSSEC key that required a rollover, you had to create the keys on one of the GSLB site nodes and manually transfer these to other GSLB sites using scp or some other tool before they could be used. Now, this entire process can be automated by enabling the DNS zone transfer parameter and ensuring the AutomaticConfigSync option is enabled. For more information, refer to the Zone Maintenance for GSLB deployments. Benefits of Automated DNSSEC Signature RolloverAutomated DNSSEC signature rollover offers several compelling advantages: Reduced Operational Overhead: Automation eliminates the need for manual intervention, freeing up IT staff to focus on other critical tasks.Enhanced Security: NetScaler can perform rollovers more consistently and accurately, minimizing the risk of human error and any potential security vulnerabilities.Improved Efficiency: Automation streamlines the rollover process, reducing the time and resources required to maintain DNSSEC protection.Reduced Disruptions: NetScaler can perform rollovers without disrupting DNS resolution, ensuring consistent service availability.Implementing Automated DNSSEC Signature Rollover As mentioned above, there are two types of keys used by DNSSEC: Zone Signing Key (ZSK) and Key Signing Key (KSK). ZSK-type key is used to sign DNS resource records of various types such as A, AAAA, NS, SOA, etc. KSK-type key is used to sign DNSKEY records. Usually, the KSK-type key is created with a stronger algorithm and a bigger key size. Figure 2: Automatic DNSSEC key rollover with NetScaler In the following example, we use the ‘create DNS key’ command to generate a DNSSEC key (example.ksk) of type KSK in zone example.com with key size 1024 using algorithm RSASHA256. Then we publish this key in the zone ‘add DNS key’ command with auto-rollover enabled.The key has an expiry period of ten days and needs to roll over five days before the expiry determined by the notification period. Then use the ‘sign DNS zone’ command to use this key to sign the records under DNS Zone ‘example.com.’ All these steps will be performed automatically at the time of rollover of the successor key since auto-rollover is enabled on the key. This process with a rollover period R is shown in Figure 2 above. Figure 3: Example of configuring auto-rollover of DNSSEC key ConclusionThe Automated DNSSEC Signature Rollover feature will be critical for maintaining the effectiveness of DNSSEC protection. Streamlining the key rollover process, it reduces administrative burden, enhances security, and ensures the integrity of DNS records. As the demand for secure and reliable DNS services grows, automated DNSSEC signature rollover will play an increasingly important role in safeguarding the internet infrastructure. NetScaler also supports DNS over TLS, which encrypts DNS queries, enhancing privacy and security by safeguarding against potential eavesdropping and manipulation of domain name resolution, ensuring a safer online experience.

The limitations of static load balancing Traditional GSLB solutions rely on DNS-based load balancing to direct users to the closest available server. However, these solutions have a number of limitations. First, they lack the ability to accurately measure geolocation and network latency, which can result in suboptimal routing decisions. Second, they do not provide visibility into network congestion, micro outages or other factors that can impact performance. Third, they require manual configuration and maintenance, which can be time-consuming and error-prone. Need for real-time data and insights: In today's fast-paced and rapidly changing internet condition, there is a growing need for real-time data and insights that can help organizations to make better decisions. Internet state data from real users can help to provide this type of information, by enabling the collection and analysis of data in real-time. The benefits of modern GSLB Modern GSLB solutions, such as the one offered by NetScaler, leverage advanced technologies to overcome these limitations. For example, Intelligent Traffic Management (ITM) uses real-time network analytics to optimize traffic routing decisions (Figure1) based on actual network performance, rather than just geographical location. This ensures that users are always directed to the best-performing server, regardless of their location. Figure1: ITM optimized algorithm to improve your application performance In addition, ITM provides real-time visibility into network performance and congestion, allowing businesses to proactively address performance issues before they impact end-users. They also automate configuration and maintenance, reducing the risk of errors and freeing up IT resources for more strategic initiatives. Multi-CDN use-caseMulti-CDN global server load balancing (GSLB) with ITM (Citrix Intelligent Traffic Management) is a solution that enables organizations to provide a high-performance, highly available, and scalable user experience for their global customers. This solution leverages multiple content delivery networks (CDNs) to distribute user traffic across the best-performing CDN based on real-time data and performance metrics. With ITM, organizations can define GSLB policies that automatically route user traffic to the optimal CDN or the origin server based on factors such as user location, network conditions, and CDN availability. This approach helps to ensure that users are always directed to the optimal data source, reducing latency, improving the user experience and save cost. Here's how multi-CDN GSLB works: A user requests content from a website or application that is delivered by a CDN. The DNS query for the website or application is directed to the NetScaler ITM. The NetScaler ITM uses its geographic and network-aware load balancing algorithms to determine the most optimal CDN or Origin Datacenter for the user based on their location, network conditions, and other factors. The NetScaler ITM returns the IP address of the optimal CDN to the user's device. The user's device sends the request for the content to the CDN with the returned IP address. The content is delivered to the user's device from the CDN. As shown in Figure2, If CDN2's E2a edge becomes unavailable, the NetScaler ITM automatically redirects the user to the next optimal CDN1 E1b edge to ensure continuous delivery of the content. Figure2: ITM optimized multi-cdn high availability Figure3: ITM ensuring business continuity for its users during Azure global outage (Jan 25th 2023). Conclusion Traditional algorithms in GSLB solutions have been a mainstay of web traffic management for many years, but they are increasingly being supplanted by more modern and advanced solutions like NetScaler ITM. By leveraging real-time network analytics, providing visibility into network performance, and automating configuration and maintenance, modern GSLB solutions offer a more effective and efficient way to manage web traffic in today's complex digital environment. If you're application is deployed across multiple datacenters, it's time to consider upgrading to this modern solution. Contact NetScaler netscaler-itm@cloud.com today to learn more about how our Intelligent Traffic Management solution can help you optimize your web traffic and deliver a superior user experience.