The Domain Name System Security Extensions (DNSSEC) is a set of enhancements to standard DNS functionality. Due to the decentralized and hierarchical nature of DNS, a malicious actor can modify (or "poison") the cached answer of a recursive DNS resolver. For example, an attacker could redirect a user from the intended website to a different and potentially dangerous one of their choosing. To help prevent such attacks, DNSSEC offers a mechanism for recursive DNS resolvers to authenticate responses to domain name lookups.
The IBM NS1 Connect platform supports the following DNSSEC functionality:
Support for DNSSEC on primary zones using DNSSEC online signing by NS1 to authenticate responses to queries against the zone.
Support for DNSSEC on secondary zones that are signed by the primary.
For primary (or non-secondary) zones, NS1 supports only DNSSEC signing key algorithm 13.
Note that NS1 does not support incoming transfers of DNSSEC-signed zones to secondary servers. The transfer will exclude DNSSEC records. However, you can achieve this with a multi-signer DNSSEC configuration.
Additionally, consider the following: Currently, zone-signing keys (ZSKs) and key-signing keys (KSKs) are not rolled regularly. NS1 uses the ECDSA P256 algorithm, deemed safe now and for the foreseeable future. In case of an emergency, NS1 can roll the ZSK transparently. However, the DNS protocol does not allow transparent KSK roll, so NS1 would coordinate with the customer if the roll were needed.
Enabling DNSSEC on a zone is an instant operation. When you successfully enable DNSSEC on a primary zone in NS1 Connect, that zone displays in your zones list with a shield-and-checkmark icon.
Until the zone is securely delegated within the registrar (that is, the DS record is published), the DNS resolvers do not expect the zone to be signed—therefore, it is safe to modify any DNSSEC-related zone configuration and conduct testing.
Refer to this article for instructions to enable DNSSEC on a subdelegation.
Before enabling DNSSEC on a zone, check with your domain’s registrar to ensure it supports the following:
Verify the registrar supports DNSSEC for a domain when the DNS for that domain is hosted on third-party nameservers.
Verify the TLD supports DNSSEC. Refer to this page for more information.
Verify the registrar allows the signing of algorithm 13. Refer to this article on the IANA website for details about DNS security algorithms.
The instructions below explain the process for enabling DNSSEC for a zone via the NS1 portal. Refer to the API example below for API-based instructions.
Log into the NS1 portal and go to DNS > Zones.
Search the list of zones for the primary zone on which you wish to enable DNSSEC, and then click the zone's name to view its details.
Navigate to the Zone settings tab in the sub-navigation.
At the bottom of the page, click the checkbox next to Enable DNSSEC.
Click Save changes. A new button appears beneath the DNSSEC option.
Click View detailed instructions to view the DNSSEC key tag, algorithm, digest type, digest, flags, and a public key associated with this zone.
Record the DNSSEC details as you will need them to update the registrar in the next step. Note that you can hover over each option and click to copy the data to your clipboard.
Enabling DNSSEC automatically creates a DNSKEY record within the zone.
Additionally, the zone appears in the list of zones with a shield icon indicating DNSSEC is enabled.
Before providing the DS record to the registrar, ensure DNSSEC has been enabled for the amount of time necessary for all resolvers to expire records for the zone before DNSSEC was enabled. The SOA record minimum-TTL value specifies the required time in seconds (see nx_ttl for the zone in the NS1 API).
To complete the DNSSEC configuration, you provide your registrar with the DNSSEC information required for them to create a DS record within the TLD’s zones. Refer to the instructions provided by your domain registrar to apply the DNSSEC configuration details shown in the “View detailed instructions” dialog box in the previous step — including the key tag, algorithm, flags, digest, digest type, and public key.
DS records are published to the registrar (or parent zone) and included in the response as a part of the delegation. The records have no explicit expiration but need an associated signature that can expire. As the records exist in the parent zone, their signatures are maintained and updated by the operator of the parent zone, in most cases, by the TLD registry.
Once the updates propagate, validate the configuration by entering the domain name in a public DNSSEC authentication tool, such as https://dnssec-debugger.verisignlabs.com. If the configuration is successful, an array of green checkmarks will appear, indicating no errors.
Once DNSSEC online signing is enabled on a zone and the necessary information is passed along to your registrar, then the resolvers that support DNSSEC will begin to verify DNS responses returned by NS1 nameservers. Organizations with multiple DNS providers can use the NS1 API to create and manage multiple external DNSSEC public keys. This allows you to configure multi-signer DNSSEC among participating vendors. Refer to Managing external DNSSEC keys (API only) for more information.
After the DS record has been published in the delegation, NS1 recommends you not disable DNSSEC on the zone as this can lead to DNSSEC validation errors.