Q: How long does it take to enable DNSSEC on a zone?
A: Enabling DNSSEC is an instant operation, as the NS1 Managed DNS platform employs DNSSEC online signing to sign the DNS responses.
Q: How often are zone-signing keys (ZSK) and key-signing keys (KSK) keys rolled?
A: Currently, ZSK and KSK keys are not rolled on a regular basis. NS1 uses the ECDSA P256 algorithm, which is deemed safe now and for the foreseeable future. In case of an emergency, we are able to roll the ZSK key transparently. However, the DNS protocol doesn’t allow transparent KSK roll, so we would coordinate with the customer in case the roll was needed for any reason.
Q: Can I manage my own keys to be uploaded to NS1 and the registrar?
A: No, you cannot upload a custom DNSSEC signing key.
Q: Is it safe to modify zone configuration with respect to DNSSEC?
A: Until the zone is securely delegated at the registrar (i.e. DS record is published), the DNS resolvers do not expect the zone to be signed—therefore, it is safe to modify any DNSSEC-related zone configuration and conduct testing.
Before providing the DS record to the registrar, make sure DNSSEC has been enabled for the time necessary for all resolvers to expire records for the zone before DNSSEC was enabled. The SOA record minimum-TTL value specifies the required time in seconds (see nx_ttl for the zone in NS1 API).
After the DS record has been published in the delegation, you should avoid disabling DNSSEC on the zone as this would lead to DNSSEC validation errors.
Q: Do delegation signer (DS) records expire?
A: DS records are published in the parent zone and included in the response as a part of the delegation. The records have no explicit expiration but also need to have an associated signature that can expire. As the records exist in the parent zone, their signatures are maintained and updated by the operator of the parent zone, in most cases by the TLD registry.
Q: Can NS1 serve a zone that has been DNSSEC-signed by myself or another provider
A: Yes if you configure NS1 as a secondary zone.
If using the NS1 Connect platform, you cannot use a zone that NS1 manages and secures via DNSSEC at another provider. NS1 must be the only DNS provider for that zone.