How long does it take to enable DNSSEC on a zone?
Enabling DNSSEC is an instant operation as the NS1 DNS platform employs DNSSEC online signing to sign the DNS responses.
How often are zone-signing keys (ZSK) and key-signing keys (KSK) keys rolled?
Currently, ZSK and KSK keys are not rolled on a regular basis. NS1 uses the ECDSA P256 algorithm which is deemed safe now and for the foreseeable future. In case of emergency, we are able to roll the ZSK key transparently. The DNS protocol however doesn’t allow transparent KSK roll, so we would coordinate with the customer in case the roll was needed for any reason.
Can I manage my own keys to be uploaded to NS1 and the registrar?
No, you cannot upload a custom DNSSEC signing key.
Is it safe to modify zone configuration with respect to DNSSEC?
Until the zone is securely delegated at the registrar (i.e. DS record is published), the DNS resolvers do not expect the zone to be signed—therefore, it is safe to modify any DNSSEC-related zone configuration and conduct testing.
Before providing the DS record to the registrar, make sure DNSSEC has been enabled for the time necessary for all resolvers to expire records for the zone before DNSSEC was enabled. The SOA record minimum-TTL value specifies the required time in seconds (see nx_ttl for zone in NS1 API).
After the DS record has been published in the delegation, you should avoid disabling DNSSEC on the zone as this would lead to DNSSEC validation errors.
Do delegation signer (DS) records expire?
DS records are published in the parent zone and are included in the response as a part of the delegation. The records have no explicit expiration but also need to have associated signature which can expire. As the records exist in the parent zone, their signatures are maintained and updated by the operator of the parent zone, in most cases by the TLD registry.