NS1 status

Articles in this section

FAQs: DNSSEC with NS1

  • Updated
Follow

Note

DNSSEC is available on all NS1 accounts by default, but you must enable DNSSEC on the zone(s) upon which you wish to apply this feature. Please contact the NS1 support team if you have questions or experience any issues.

How long does it take to enable DNSSEC on a zone?

Enabling DNSSEC on a zone is an instant operation. The NS1 Connect portal employs DNSSEC online signing to sign the DNS responses. When you successfully enable DNSSEC on a primary zone in NS1 Connect, that zone displays in your zones list with a shield-and-checkmark icon.

dnssec_shield.png

How often are zone-signing keys (ZSK) and key-signing keys (KSK) rolled?

Currently, ZSK and KSK are not rolled regularly. NS1 uses the ECDSA P256 algorithm, deemed safe now and for the foreseeable future. In case of an emergency, NS1 can roll the ZSK transparently. However, the DNS protocol does not allow transparent KSK roll, so NS1 would coordinate with the customer if the roll was needed.

Can I upload my keys to NS1 and the registrar?

No, you cannot upload a custom DNSSEC signing key.

Do delegation signer (DS) records expire?

DS records are published in the parent zone and included in the response as a part of the delegation. The records have no explicit expiration but need an associated signature that can expire. As the records exist in the parent zone, their signatures are maintained and updated by the operator of the parent zone, in most cases, by the TLD registry.

Is it safe to modify zone configuration concerning DNSSEC?

Until the zone is securely delegated at the registrar (i.e., the DS record is published), the DNS resolvers do not expect the zone to be signed—therefore, it is safe to modify any DNSSEC-related zone configuration and conduct testing.

Before providing the DS record to the registrar, make sure DNSSEC has been enabled for the time necessary for all resolvers to expire records for the zone before DNSSEC was enabled. The SOA record minimum-TTL value specifies the required time in seconds (see nx_ttl for the zone in the NS1 API).

After the DS record has been published in the delegation, you should avoid disabling DNSSEC on the zone, as this can lead to DNSSEC validation errors.

Can NS1 serve a zone that has been DNSSEC-signed by myself or another provider?

On NS1 Connect, DNSSEC is supported on zone transfers from the primary zone (hosted elsewhere) to the secondary zone (hosted by NS1) in which an NSEC or NSEC3 record provides authenticated denial of existence. Contact NS1 customer support with any additional questions.

Related articles