The Domain Name System Security Extensions (DNSSEC) are a set of enhancements to standard DNS functionality. Due to the decentralized and hierarchical nature of DNS, a malicious actor can modify (or "poison") the cached answer of a recursive DNS resolver. For example, an attacker could redirect a user from the intended website to a different and potentially dangerous one of their choosing.
To help prevent such attacks, DNSSEC offers a mechanism for recursive DNS resolvers to authenticate responses to domain name lookups.
NS1 supports the following DNSSEC functionality:
-
DNSSEC is automatically supported for secondary zones hosted on the NS1 platform. Both NSEC and NSEC3 are supported for authenticated denial of existence. If the primary zone data is pre-signed by the primary DNS provider, then NS1 will respond to queries with the DNSSEC-signed zone data.
-
Optionally, you can enable DNSSEC signing on individual non-secondary zones (i.e., authoritative or primary zones hosted by NS1). Enabling this option activates online signing by NS1 to authenticate responses to queries against the zone. However, it’s important to note that DNSSEC is not supported for outgoing zone transfers from primary zones hosted on the NS1 platform.
This article explains the process for enabling DNSSEC online signing for a primary (i.e., non-secondary) zone hosted by NS1.
Note
Refer to this article for instructions to enable DNSSEC on a subdelegation.
Before enabling DNSSEC on a zone, check with your domain’s registrar to ensure it supports the following:
-
Verify the registrar allows you to add DS and/or DNSKEY record types to the domain.
-
Verify the registrar supports your specific top-level domain (TLD).
-
Verify the registrar allows the signing of algorithm 13. Refer to this article on the IANA website for details about DNS security algorithms.
The instructions below explain the process for enabling DNSSEC for a primary (i.e., non-secondary) zone via the NS1 portal.
-
Log into the NS1 portal, and then navigate to DNS > Zones.
-
Search the list of zones for the primary zone on which you wish to enable DNSSEC, and then click the zone's name to view its details.
-
Navigate to the Zone settings tab in the sub-navigation.
-
At the bottom of the page, click the checkbox next to Enable DNSSEC.
-
Click Save changes. Once saved, a new button appears beneath the DNSSEC option prompting you to “View detailed instructions.”
-
Click View detailed instructions to view the key tag, algorithm, digest type, digest, flags, and a public key associated with this DNSSEC configuration.
Record the DNSSEC details as you will need them to update the registrar in the next step. Note that you can hover over each option and click to copy the data to your clipboard.
Enabling DNSSEC automatically creates a DNSKEY record within the zone.
Additionally, the zone appears in the list of zones (i.e., DNS > Zones) with a shield icon indicating DNSSEC is enabled.
To complete DNSSEC configuration, you must update enable and configure DNSSEC at the domain’s registrar.
Refer to the instructions provided by your domain registrar to apply the DNSSEC configuration details shown in the “View detailed instructions” dialog box in the previous step — including the key tag, algorithm, flags, digest, digest type, and public key.
Once the updates propagate, validate the configuration by entering the domain name in a public DNSSEC authentication tool, such as https://dnssec-debugger.verisignlabs.com. If the configuration is successful, an array of green checkmarks will appear indicating no errors.
Execute the POST command below to enable DNSSEC on a non-secondary zone using the NS1 API — replacing <zone> in the URL path with the unique name of the zone. Note that the zone name is likely the same as the zone FQDN unless you applied a custom zone name or associated the zone with a DNS view during zone creation.
curl -X POST -H "X-NSONE-Key: $NSONE_API_KEY" -d '{"dnssec": "true"}' https://api.nsone.net/v1/zones/<zone>curl -X POST -H "X-NSONE-Key: $NSONE_API_KEY" 'https://api.nsone.net/v1/zones/<zone>' -d '{"dnssec":true}'
Then, execute the following GET command to view DNSSEC-related details about the zone that you will need to apply at the domain registrar.
curl -X GET -H "X-NSONE-Key: $NSONE_API_KEY" https://api.nsone.net/v1/zones/<zone>/dnssec
Copy the zone data returned in the response — including key tag, algorithm, flags, digest, digest type, and public key. You'll need this information in the next step.