A common use case for creating sub-delegations is to delegate responsibility for a segment of the DNS namespace to someone else. For example, the domain "ns1.com" is segmented such that "help.ns1.com" is sub-delegated to the team managing this Help Center. However, there may be different requirements for setting up DNSSEC on a sub-delegation than on its parent zone.
DNSSEC is available on all NS1 accounts by default, but you must enable DNSSEC on the zone(s) upon which you wish to apply this feature. The NS1 Connect platform supports DNSSEC on a top-level (primary) zone. Please contact the NS1 support team if you have questions or experience any issues.
NS1 recommends testing the configuration below on a designated "test zone" before configuring on production zones.
The instructions below assume the zone is already delegated to NS1 and that DNSSEC is not yet enabled at the registrar.
Create a zone and sub-delegation on the NS1 Connect platform.
Within the parent zone, create an NS record for the child zone. This is necessary so that the DNSSEC-validating resolvers recognize whether or not the child zone is DNSSEC-secure.
NS1 recommends configuring the NS record in the parent zone to be identical to the NS record which was automatically created in the child zone.
Enable DNSSEC on both the parent and child zones. DNSSEC-secured zones display in NS1 Connect in your zones list with a shield-and-checkmark icon.
DNSSEC-enabled resolvers will not validate the responses until DS records are configured.
In NS1 Connect, navigate to the Zone Settings page for the child zone and scroll to the bottom of the page. If DNSSEC is enabled, a link to View detailed instructions appears beneath the DNSSEC option. Click this link to view a dialog box with zone-specific DNSSEC data. Copy/record this data as you will need this to create the DS record in the parent zone. Alternatively, you can do this via API. Refer to this article for details.
Create the DS records within the parent zone using the child zone's DNSSEC data recorded in the previous step. The creation of the DS record creates a DNSSEC trust between the parent and child zone.
Navigate to the Zone Settings page for the parent zone (the one within which you just created the DS record). Scroll to the bottom of the page, and click View detailed instructions beneath the enabled DNSSEC configuration option. Click this link to view a dialog box with zone-specific DNSSEC data (for the parent zone). Copy/record this data as you need to provide it to the domain's registrar.
Copy and paste the data retrieved from the previous step—including key tag, algorithm, flags, digest, digest type, DNSKEY—to the portal of your domain’s registrar. Instructions vary based on which registrar you use.
Once the updates propagate, check to ensure functionality is working properly by inputting the domain name into a public DNSSEC authentication tool, such as https://dnssec-debugger.verisignlabs.com/.
Once the registrar updates the delegation information and includes the DS record, the DNSSEC-aware resolvers will start to validate the created zone and its child zone.