NS1 Status

Articles in this section

See more

Enabling DNSSEC on a primary zone

  • Updated
Follow
Update (July 2021)
The NS1 Connect platform supports DNSSEC-signed secondary zones over XFR, but not yet for primary zones. Refer to FAQs: DNSSEC with NS1 for details.

The Domain Name System Security Extensions (DNSSEC) are a set of enhancements to standard DNS functionality. Due to the decentralized and hierarchical nature of DNS, it is possible for a malicious actor to modify (or "poison") the cached answer of a recursive DNS resolver. An attacker could redirect a user from the intended website to a different and potentially dangerous one of their choosing.

To defend against such attacks, DNSSEC offers a mechanism for recursive DNS resolvers to verify the authenticity of the information received from the previous authoritative DNS server.

DNSSEC functionality is available to all NS1 customers at no additional cost. DNSSEC-enabled zones retain full traffic management and advanced feature functionality.

How to enable DNSSEC with NS1

Prior to enabling DNSSEC on your domain, check with your domain’s registrar to make sure they support NS1's implementation of the feature. The registrar must:

  • support adding DNSSEC records (DS and/or DNSKEY), 
  • support your specific TLD (top-level domain), and 
  • allow signing of algorithm 13. 
    (Note: More information about DNS security algorithms can be found here.)

Follow the steps below to ensure no interruptions to service.

Step 1: Enable DNSSEC globally.

Contact support@ns1.com to request the enablement of this function on your organization's account.

Step 2: Enable DNSSEC for each zone.

Via the NS1 portal:

  1. Log in to the NS1 portal (via https://my.nsone.net).

  2. Click DNS in the main navigation to view a list of all the DNS zones associated with your account.

    zones_page__new_.png

  3. Click the zone to which you would like to enable DNSSEC. Then select the Zone Settings tab.

    zone_settings_delete.png

  4. Click the checkbox next to Enable DNSSEC (located near the bottom left corner of the screen) to enable the feature for that zone, and then click the Save all changes button.

    enable_DNSSEC_save.png

Via API:

curl -X POST -H 'X-NSONE-Key: <API-key>' 'https://api.nsone.net/v1/zones/<name>' -d '{"dnssec":true}'

Step 3: Copy zone-specific DNSSEC data.

Locate and record (copy) the zone-specific DNSSEC data that will be input at the domain’s registrar. This information is generated automatically once DNSSEC is enabled on a zone. 

  1. After enabling DNSSEC on the individual zone, click "View Detailed Instructions" or send the following GET request to our API:
    curl -X GET -H 'X-NSONE-Key: <API-key>' 'https://api.nsone.net/v1/zones/<name>/dnssec'
  2. Copy/record the data retrieved.

 Step 4: Paste the data to the domain's registrar.

  1. Paste the data retrieved from the previous step—including key tag, algorithm, flags, digest, digest type, public key—to the portal of your domain’s registrar. Instructions vary based on the registrars. 

  2. Once the updates propagate, check to ensure functionality is working properly by inputting the domain name into a public DNSSEC authentication tool, such as https://dnssec-debugger.verisignlabs.com/.

A successful result will reveal an array of green checkmark icons with no indication of errors:

 

 

Related articles