Note
In NS1 Connect, DNSSEC is supported on zone transfers from the primary zone (hosted elsewhere) to the secondary zone (hosted by NS1), in which an NSEC or NSEC3 record provides authenticated denial of existence. DNSSEC is not yet available for primary zones hosted by NS1 for accounts within the NS1 Connect platform. Contact NS1 customer support with questions.
The Domain Name System Security Extensions (DNSSEC) are a set of enhancements to standard DNS functionality. Due to the decentralized and hierarchical nature of DNS, a malicious actor can modify (or "poison") the cached answer of a recursive DNS resolver. An attacker could redirect a user from the intended website to a different and potentially dangerous one of their choosing.
To defend against such attacks, DNSSEC offers a mechanism for recursive DNS resolvers to verify the authenticity of the information received from the previous authoritative DNS server. DNSSEC-enabled zones retain full traffic management and advanced feature functionality.
Note
DNSSEC is available on all NS1 accounts by default, but you must enable DNSSEC on the zone(s) upon which you wish to apply this feature. Please contact the NS1 support team if you have questions or experience any issues.
Before enabling DNSSEC on your domain, check with your domain’s registrar to ensure they support NS1's feature implementation. The registrar must:
support adding DNSSEC records (DS and/or DNSKEY),
support your specific top-level domain (TLD), and
-
allow signing of algorithm 13.
Note
Refer here for more information about DNS security algorithms.
Follow the steps below to ensure no interruptions to service.
Follow the instructions below to enable DNSSEC on an existing primary zone via the NS1 Connect portal or NS1 API. Refer to Create a DNS zone for details.
-
Navigate to DNS > Zones to view a list of zones associated with your account.
-
Click the name of the zone on which you want to enable DNSSEC to drill down into the zone details, and then click the Zone Settings tab.
-
Scroll to the bottom of the page and click the checkbox next to Enable DNSSEC.
Click Save changes. On the same page, a link appears beneath the DNSSEC checkbox to View detailed instructions.
Click View detailed instructions. A dialog box appears with instructions and important zone data. This information is generated automatically once DNSSEC is enabled on a zone.
Copy the DNSSEC zone details. You'll need to provide this information at the domain registrar in the next step.
-
Return to your list of zones. Your DNSSEC-secured zone should now display a shield-and-checkmark icon.
Alternatively, you can enable DNSSEC on a primary zone via API using the following POST command:
curl -X POST -H 'X-NSONE-Key: $API_KEY' 'https://api.nsone.net/v1/zones/<zone_name>' -d '{"dnssec":true}'
where <zone_name> is the name of the primary zone. If you did not specify a unique zone name during zone creation, this field defaults to the zone FQDN.
Then, execute the following GET command to view zone-specific DNSSEC data:
curl -X GET -H 'X-NSONE-Key: $API_KEY' 'https://api.nsone.net/v1/zones/<name>/dnssec'
Copy the zone data returned in the response—including key tag, algorithm, flags, digest, digest type, and public key.
Paste the data retrieved from the previous step—including key tag, algorithm, flags, digest, digest type, public key—to the portal of your domain’s registrar. Instructions vary based on the registrars.
-
Once the updates propagate, check to ensure functionality is working properly by inputting the domain name into a public DNSSEC authentication tool, such as https://dnssec-debugger.verisignlabs.com/.
A successful result will reveal an array of green checkmark icons with no indication of errors.