NS1 Status

Articles in this section

Enabling DNSSEC on a primary zone

  • Updated
Follow

Overview

The Domain Name System Security Extensions (DNSSEC) are a set of enhancements to standard DNS functionality. Due to the decentralized and hierarchical nature of DNS, it is possible for a malicious actor to modify (or ‘poison’) the cached answer of a recursive DNS resolver. An attacker could redirect a user from the intended website to a different and potentially dangerous one of their choosing.

To defend against such attacks, DNSSEC offers a mechanism for recursive DNS resolvers to verify the authenticity of the information received from the previous authoritative DNS server.

DNSSEC functionality is available to all NS1 customers at no additional cost. DNSSEC-enabled zones retain full traffic management and advanced feature functionality. 

How to enable DNSSEC with NS1

Prior to enabling DNSSEC on your domain, check with your domain’s registrar to make sure they support NS1's implementation of the feature. The registrar must

  • support adding DNSSEC records (DS and/or DNSKEY), 
  • support your specific TLD (top level domain), and 
  • allow signing of algorithm 13. 
    (Note: More information about DNS security algorithms is found here.)

Follow the steps below to ensure no interruptions to service. 

Step 1: Enable DNSSEC globally

Contact support@ns1.com to request your account have this function enabled on your organization's account.

Step 2: Enable DNSSEC for each zone 

via the NS1 portal:

  1. Once logged into the NS1 portal, navigate to the Zones page from the top-level navigation. 
  2. Double-click the zone to which you would like to enable DNSSEC, and click the "Zone Settings" tab.
  3. Click the check box next to "Enable DNSSEC" to enable the feature for that zone.


via API:

curl -X POST -H 'X-NSONE-Key: <API-key>' 'https://api.nsone.net/v1/zones/<name>' -d '{"dnssec":true}'

Step 3: Copy zone-specific DNSSEC data

Locate and record (copy) the zone-specific DNSSEC data that will be input at the domain’s registrar. This information is generated automatically once DNSSEC is enabled on a zone. 

  1. After enabling DNSSEC on the individual zone, click "View Detailed Instructions" or send the following GET request to our API:
curl -X GET -H 'X-NSONE-Key: <API-key>' 'https://api.nsone.net/v1/zones/<name>/dnssec'

2. Copy/record the data retrieved.

 Step 4: Paste the data to the domain's registrar.

  1. Paste the data retrieved from the previous step—including key tag, algorithm, flags, digest, digest type, public key—to the portal of your domain’s registrar. Instructions vary based on the registrars. 
  2. Once the updates propagate, check to ensure functionality is working properly by inputting the domain name into a public DNSSEC authentication tool such as: https://dnssec-debugger.verisignlabs.com/

A successful result will reveal an array of green check mark icons with no indication of errors:

 

 

Related articles