A common use case for creating subzones is to delegate responsibility for a segment of the DNS name space to someone else. For example, the domain ns1.com is segmented such that help.ns1.com is sub-delegated to the team managing this Help Center. However, there may be different requirements for setting up DNSSEC on a subdelegation than on its parent zone.
Refer to this article for instructions on how to enable DNSSEC on a top-level (or parent) zone.
NS1 recommends testing the configuration below on a designated “test zone” before running it on critical production zones.
The instructions below assume that the zone is delegated to NS1 already, but that DNSSEC is not yet enabled at the registrar.
To enable DNSSEC for a child zone/subdelegation:
In the NS1 portal, add a zone and a child zone (subdelegation).
Within the parent zone, create an NS record for the child zone. This is necessary so that the DNSSEC-validating resolvers recognize whether the child zone is DNSSEC-secure or not.
Note: We recommend configuring such that the NS record associated with the parent zone matches the one in the child zone.
Enable DNSSEC on both the parent and child zones.NOTE
DNSSEC-enabled resolvers will not validate the responses until DS records are set up.
In the portal, create the DS records for the child zone within the parent zone. The DS record data you should use can be found in the portal under Zone Settings for the child shown (sub.example.com) under DNSSEC config. This step creates a DNSSEC trust from example.com into sub.example.com.
Provide the registrar with DNSKEY configuration for the parent zone.NOTE
Some registrars may ask for the DS record. The record data is shown in the portal under Zone Settings for the parent zone under DNSSEC config.
Once the registrar updates the delegation information and includes the DS record, the DNSSEC-aware resolvers will start to validate the created zone and its child zone.