ADC CLI Commands

dns-zone

The following operations can be performed on “dns-zone”:

unset add sign unsign show set rm

unset dns zone

Use this command to remove dns zone settings.Refer to the set dns zone command for meanings of the arguments.

Synopsis

unset dns zone [-proxyMode] [-dnssecOffload] [-nsec]

add dns zone

Creates a DNS zone on the Citrix ADC. Mandatory if you want to use the appliance to implement Domain Name Security Extensions (DNSSEC) for the zone. When you add a DNS resource record, if the domain name of the record belongs to the zone, the record is automatically added to the zone.

Synopsis

add dns zone -proxyMode ( YES | NO ) [-dnssecOffload ( ENABLED | DISABLED ) [-nsec ( ENABLED | DISABLED )]]

Arguments

zoneName Name of the zone to create.

proxyMode Deploy the zone in proxy mode. Enable in the following scenarios:

  • The load balanced DNS servers are authoritative for the zone and all resource records that are part of the zone.
  • The load balanced DNS servers are authoritative for the zone, but the Citrix ADC owns a subset of the resource records that belong to the zone (partial zone ownership configuration). Typically seen in global server load balancing (GSLB) configurations, in which the appliance responds authoritatively to queries for GSLB domain names but forwards queries for other domain names in the zone to the load balanced servers. In either scenario, do not create the zone’s Start of Authority (SOA) and name server (NS) resource records on the appliance. Disable if the appliance is authoritative for the zone, but make sure that you have created the SOA and NS records on the appliance before you create the zone.

Possible values: YES, NO Default value: ENABLED

dnssecOffload Enable dnssec offload for this zone.

Possible values: ENABLED, DISABLED Default value: DISABLED

nsec Enable nsec generation for dnssec offload.

Possible values: ENABLED, DISABLED Default value: DISABLED

Example

add dns zone foo.bar -proxyMode NO -dnssec ENABLED

sign dns zone

Signs a DNS zone with a DNS key. Before you sign a zone, make sure that you’ve enabled DNSSEC by setting the global DNS parameter “Enable DNSSEC extension.”

Synopsis

sign dns zone [-keyName ...]

Arguments

zoneName Name of the zone.

keyName Name of the public/private DNS key pair with which to sign the zone. You can sign a zone with up to four keys.

Example

sign dns zone abc.com. -keyname abc.com.zsk abc.com.ksk

unsign dns zone

Unsigns the specified DNS zone with the specified DNS key.

Synopsis

unsign dns zone [-keyName ...]

Arguments

zoneName Name of the zone.

keyName Name of the public-private DNS key pair with which to unsign the zone.

Example

unsign dns zone abc.com. -keyname abc.com.zsk abc.com.ksk

show dns zone

Displays the parameters of the specified DNS zone, along with information about the types of resource records available for each domain name in the zone. If no zone name is specified, just the parameters are shown, for all configured zones.

Synopsis

show dns zone [ | -type ]

Arguments

zoneName Name of the zone. Mutually exclusive with the type parameter.

type Type of zone to display. Mutually exclusive with the DNS Zone (zoneName) parameter. Available settings function as follows:

  • ADNS - Display all the zones for which the Citrix ADC is authoritative.
  • PROXY - Display all the zones for which the Citrix ADC is functioning as a proxy server.
  • ALL - Display all the zones configured on the appliance.

Possible values: ALL, ADNS, PROXY

Output

proxyMode Deploy the zone in proxy mode. Enable in the following scenarios:

  • The load balanced DNS servers are authoritative for the zone and all resource records that are part of the zone.
  • The load balanced DNS servers are authoritative for the zone, but the Citrix ADC owns a subset of the resource records that belong to the zone (partial zone ownership configuration). Typically seen in global server load balancing (GSLB) configurations, in which the appliance responds authoritatively to queries for GSLB domain names but forwards queries for other domain names in the zone to the load balanced servers. In either scenario, do not create the zone’s Start of Authority (SOA) and name server (NS) resource records on the appliance. Disable if the appliance is authoritative for the zone, but make sure that you have created the SOA and NS records on the appliance before you create the zone.

flags Flags controlling display.

nsecBitarray Bit array representing the different record types configured for the domain name

domain Domain name that belongs to the given zone

nextRecs An array of record types associated with the nsec record.

stateflag flags controlling display

dnssecOffload Enable dnssec offload for this zone.

nsec Enable nsec generation for dnssec offload.

keyName Name of the public/private DNS key pair with which to sign the zone. You can sign a zone with up to four keys.

sigInceptionTime The time when sign was done with this key.

signed Integer which denote status of keys.

expires Time period for which to consider the key valid, after the key is used to sign a zone.

devno count

Example

show dns zone foo.bar

set dns zone

Modifies the parameters of the specified DNS zone.

Synopsis

set dns zone [-proxyMode ( YES | NO )] [-dnssecOffload ( ENABLED | DISABLED )] [-nsec ( ENABLED | DISABLED )]

Arguments

zoneName Name of the zone.

proxyMode Deploy the zone in proxy mode. Enable in the following scenarios:

  • The load balanced DNS servers are authoritative for the zone and all resource records that are part of the zone.
  • The load balanced DNS servers are authoritative for the zone, but the Citrix ADC owns a subset of the resource records that belong to the zone (partial zone ownership configuration). Typically seen in global server load balancing (GSLB) configurations, in which the appliance responds authoritatively to queries for GSLB domain names but forwards queries for other domain names in the zone to the load balanced servers. In either scenario, do not create the zone’s Start of Authority (SOA) and name server (NS) resource records on the appliance. Disable if the appliance is authoritative for the zone, but make sure that you have created the SOA and NS records on the appliance before you create the zone.

Possible values: YES, NO Default value: ENABLED

dnssecOffload Enable dnssec offload for this zone.

Possible values: ENABLED, DISABLED Default value: DISABLED

nsec Enable nsec generation for dnssec offload.

Possible values: ENABLED, DISABLED Default value: DISABLED

Example

set dns zone foo.bar -proxyMode NO -dnssec ENABLED

rm dns zone

Removes a DNS zone from the Citrix ADC.

Synopsis

rm dns zone

Arguments

zoneName Name of the zone to remove.

dns-zone