Enabling DNSSEC for a primary zone

The IBM® NS1 Connect® platform supports the following DNSSEC functionality:

  • For primary zones hosted on NS1 Connect, you can enable DNSSEC online signing by NS1 Connect to authenticate responses to incoming queries to this zone. Note that the platform only supports DNSSEC signing key algorithm 13.
  • For secondary zones hosted on NS1 Connect, DNSSEC is supported if the zone is signed by the primary DNS provider.
Note: At this time, NS1 Connect does not roll zone-signing keys (ZSKs) and key-signing keys (KSKs) regularly. It uses the ECDSA P256 algorithm, deemed safe now and for the foreseeable future. If necessary, IBM support can roll the ZSK transparently. However, the DNS protocol does not allow transparent KSK roll, so you must work with the support representative directly on this.

Enabling DNSSEC for a primary zone is a two-step process. First, within the NS1 Connect portal, you must enable DNSSEC by selecting the check box in the zone settings, and then clicking View detailed instructions to display the information you need to apply at the domain registrar. DNSSEC-enabled zones appear in the zone list with a shield icon.



The second step is to update the DNSSEC delegation at your domain registrar by publishing a DS record containing the DNSSEC keys and digest information provided by NS1 Connect. Until the zone is securely delegated within the registrar (that is, the DS record is published), the DNS resolvers do not expect the zone to be signed—therefore, it is safe to modify any DNSSEC-related zone configuration and conduct testing.

Note: Refer to this topic for instructions to enable DNSSEC on a subdelegation.

Before you begin

Before enabling DNSSEC on a zone, check with your domain’s registrar to ensure it supports the following:

  • Verify the registrar supports DNSSEC for a domain when the DNS for that domain is hosted on third-party nameservers.
  • Verify the top-level domain (TLD) supports DNSSEC.
  • Verify the registrar allows the signing of algorithm 13. Refer to this topic on the IANA website for details about DNS security algorithms.

Procedure

The following instructions explain the process for enabling DNSSEC for a primary (or non-secondary) zone.

Step 1: Enable DNSSEC on the zone hosted by NS1 Connect
  1. Click DNS > Zones.
  2. Search the list of zones for the primary zone on which you wish to enable DNSSEC, and then click the zone's name to view its details.
  3. Click the Zone settings tab in the sub-navigation.
  4. At the bottom of the page, select the Enable DNSSEC checkbox.
  5. Click Save changes. A new button appears beneath the DNSSEC option.

  6. Click View detailed instructions to view the DNSSEC key tag, algorithm, digest type, digest, flags, and a public key associated with this zone.

    Record the DNSSEC details as you will need them to update the registrar in the next step. Note that you can hover over each option and click to copy the data to your clipboard.

Enabling DNSSEC automatically creates a DNSKEY record within the zone.



Also, a shield icon appears next to the zone on the Zones tab, indicating DNSSEC is enabled.



Step 2: Update the domain registrar
Attention: Before providing the DSrecord to the registrar, ensure DNSSEC has been enabled for the amount of time necessary for all resolvers to expire records for the zone before DNSSEC was enabled. The SOA record minimum-TTL value specifies the required time in seconds (see nx_ttl for the zone in the NS1 Connect API).

To complete the DNSSEC configuration, you provide your registrar with the DNSSEC information required for them to create a DS record within the TLD’s zones. Refer to the instructions provided by your domain registrar to apply the DNSSEC configuration details shown in the View detailed instructions dialog box in the previous step — including the key tag, algorithm, flags, digest, digest type, and public key.

DS records are published to the registrar (or parent zone) and included in the response as a part of the delegation. The records have no explicit expiration but need an associated signature that can expire. As the records exist in the parent zone, their signatures are maintained and updated by the operator of the parent zone, in most cases, by the TLD registry.

Step 3: Validate the configuration

Once the updates propagate, validate the configuration by entering the domain name in a public DNSSEC authentication tool, such as https://dnssec-debugger.verisignlabs.com. If the configuration is successful, an array of green checkmarks appear, indicating no errors.

Results

Once DNSSEC online signing is enabled on a zone and the necessary information is passed along to your registrar, then the resolvers that support DNSSEC will begin to verify DNS responses returned by NS1 Connect nameservers. Organizations with multiple DNS providers can use the NS1 Connect API to create and manage multiple external DNSSEC public keys. This allows you to configure multi-signer DNSSEC among participating vendors. Refer to Managing external DNSSEC keys (API only) for more information.

Attention: After the DS record has been published in the delegation, do not disable DNSSEC on the zone as this can lead to DNSSEC validation errors.