DNS Delegation for GSLB

… long time listener, 1st time caller. Howdy folks!

I’ve got 2 sites (NY and PA) with an AX cluster at each site in it’s “internet” DMZ. The sites are interconnected on the LAN and I’ve also got a Juniper SSL VPN cluster split “behind” the A10 at each site (synchronizing over the LAN).

Currently, we are only using the Juniper in PA. We host our own DNS for the domain (we’ll say “company.com”) and currently I have an A Record for “remote.company.com” that is pointing at the PA Juniper.

I have set up GSLB and the sites are talking, everything looks cool with service IPs, etc., … I can do nslookups against either site DNS Proxy on the AX (running in server mode), and I have tested failover internally. So, I am ready to open the DNS Proxies to the internet and do DNS Delegation on my name servers.

Here are my questions (mainly to make sure I'm thinking this correctly):

QUESTION 1: Do I do the following ...

1. create name servers for a subdomain in my regular NS servers for the parent domain:

       gslb.company.com  IN NS PA-A10.company.com
       gslb.company.com  IN NS NY-A10.company.com

2. create the “glue” records on my NS servers under the parent domain:

       PA-A10.company.com IN A xxx.xxx.xxx.xxx
       NY-A10.company.com IN A xxx.xxx.xxx.xxx
       \*where xxx.xxx.xxx.xxx is the DNS Proxy VIP on the AX at each site
3. delete the current A Record for "remote.company.com" on my NS and create a CNAME for 
       remote.company.com  IN CNAME remote.gslb.company.com

QUESTION 2:
On my AX sites I created the zone “company.com” … should I have created “gslb.company.com”? Looking at the above I think so. Also, I think what confused me was that the cert on the SSL VPN is for “remote.company.com”.

QUESTION 3:
When I created the A Record “remote” under the zone above it only allowed me to choose one protocol in the drop down list (I choose HTTP) although the service IP has both HTTP and HTTPS. I tried to create a 2nd A record for “remote” with HTTPS but it said the name already exists. I did this through the GUI. Do both protocols need to be listed under the zone A Record? If so, was this just a restriction in the GUI?

I posed these questions to A10 Support who were pretty clueless on DNS Delegation and actually asked me to forward the answers to them once I figured it out … wtf?

Answer 1)

1. Yes. You create a delegate domain in your current DNS with the NS records you suggested.
2. Yes. As well as the A records pointing to both AXs.
3. Yes. The CNAME is also correct.

Answer 2) Yes you would need to create the zone “gslb.company.com”.

Answer 3) The protocol under the gslb zone is just for when a health monitor is required for that service. It’s not related to the actual service that reside behind the hostname. So in this case something like the below would need to be configured:

gslb policy delegated dns server ! gslb zone gslb.company.com policy delegated service http remote dns-a-record name_of_the_vip static !

NOTE: The above policy has everything default except the fact it operates in server mode.

Hopefully this helps…

Minor change on Answer 2).
You don’t need to change the certificate. You can leave that as it is.

Thanks - I completely understand this now. It just took me a bit to digest everything fully.