NS1 status

Articles in this section

Enabling DNSSEC on a subdelegation

  • Updated
Follow

Typically, a DNS zone represents an entire domain and contains one or more A, AAAA, and/or CNAME records for each subdomain. In some cases, you might need to delegate responsibility for a segment of the DNS namespace to someone else — for example, if a segment of a domain (e.g., help.ns1.com) is managed by a different DNS provider than the rest of the domain (e.g., ns1.com). In this case, you can create a separate zone file for the subdomain and update the nameserver (NS) records within the parent zone to point to the subdomain’s nameserver(s).

You can configure DNSSEC online signing for a parent zone and a subdelegation (sometimes referred to as a child zone) by enabling DNSSEC on both zones, adding a DS record to the parent zone containing the child zone’s DNSSEC data, and then adding the DNSSEC details for the parent zone to the domain registrar.

Note

You can enable DNSSEC online signing on any primary (non-secondary) zones, including subdelegations and child zones.

Warning

NS1 recommends testing the configuration below on a designated "test zone" before configuring on production zones. Note that when following the process below, there will be a period of time during which incoming queries to the subdelegated/child zone records will receive an NXDOMAIN response. This occurs after you enable DNSSEC on the subdelegated/child zone until you add the DS record to the parent zone.

Instructions

Note

The instructions below assume both the parent and child zones are hosted on the NS1 platform. If the parent or subdelegated/child zone is hosted by another DNS provider, then instructions will vary.

Step 1: Configure the parent zone and subdelegated or child zone.

If you haven’t already done so, create the parent zone representing your overarching domain and a child zone or subdelegation representing a segment of that domain. Often, these zones are hosted by two different DNS providers so the specific instructions may vary.

  1. Create the parent zone. This must be a primary (or non-secondary) zone. Refer to Create a DNS zone for instructions.

  2. Create the subdelegation or child zone. Refer to Subdelegations and child zones for details.

  3. If you haven't already, add a new NS record to the parent zone matching the NS record found in the subdelegated/child zone.

    Warning

    Do not remove any existing NS records in the parent zone.

Step 2: Enable DNSSEC on the parent zone.

Refer to Enabling DNSSEC for a primary (or non-secondary) zone for instructions. If the parent zone is not hosted by NS1, refer to the respective provider’s instructions for enabling DNSSEC.

Zones with DNSSEC online signing appear in the zone list with the shield icon.

Zones_-_Highlight_DNSSEC_icon_on_zone.png

Warning

Once you enable DNSSEC on the parent zone, you must update the domain registrar with the DNSSEC-related data provided by NS1 — including the key tag, algorithm, flags, digest, digest type, and public key.

Step 3: Enable DNSSEC on the subdelegated/child zone.

Follow the instructions below to enable DNSSEC online signing for the child zone hosted on the NS1 platform. Note that these instructions are nearly identical to the instructions for updating a primary zone, except that, in the final step, you will apply the DNSSEC data for the subdelegation to the parent zone instead of updating the domain registrar.

Note

If the subdelegation or child zone is not hosted by NS1, refer to the provider’s instructions for enabling DNSSEC.

  1. In the NS1 portal, navigate to the list of zones and click the name of the child zone to drill down into zone details.

    enabling_dnssec_on_subdelegation-image6.png

  2. Navigate to the Zone settings tab.

    enabling_dnssec_on_subdelegation-image8.png

  3. Scroll to the bottom of the page to the DNSSEC section, and then select the checkbox next to Enable DNSSEC.

    Zone_-_Zone_settings_-_DNSSEC__option_enabled_.png

  4. Click Save changes.

  5. A new button appears beneath the "Enable DNSSEC" option. Click View Detailed Instructions.

    view_detailed_instructions.png

  6. Record the DNSSEC details shown, including the key tag, algorithm, digest type, digest, flags, and public key.

    dialog-how_to_enable_DNSSEC.png

    You will populate the DS record in the parent zone with these details in the next step.

  7. Click Done.

Unlike the parent zone, the subdelegated/child zone delegation information is not transferred to the registrar. Instead, this information is copied to the parent zone within a DS record (see next step), which is then propagated to all systems.

Once enabled, the NS1 platform autogenerates a DNSKEY record within the subdelegated or child zone.

enabling_dnssec_on_subdelegation-image2.png

Warning

DNSSEC-enabled resolvers will not validate the responses until the DS record is configured.

Step 4: Add DS record to the parent zone

Next, you must establish a DNSSEC trust between the parent and child zone by creating a DS record within the parent zone that contains the DNSSEC-related data for the child zone.

  1. Navigate to the list of zones, and click the name of the parent zone (e.g., domain.edu) to drill down into zone details.

    enabling_dnssec_on_subdelegation-image9.png

  2. Click the + (add) button to create a new record. The Add Record window appears.

  3. Under Record type, select DS from the list.

    add_ds_record.png

  4. In the name field, enter the subdomain prefix corresponding to the subdelegated/child zone (e.g., sub.domain.edu).

  5. Under Answers, complete each form field with the subdelegated/child zone's DNSSEC configuration details (recorded in Step 3), including the key tag, algorithm, digest type, and digest data.

  6. Click Save record.

Step 5: Validation

Once the updates propagate, validate the configuration using a public DNSSEC authentication tool, such as https://dnssec-debugger.verisignlabs.com/. If the configuration is successful, an array of green check marks will appear, indicating no errors.

Related articles