NS1 Status

Articles in this section

See more

Enabling DNSSEC on a sub-delegation

  • Updated
Follow

A common use case for creating sub-delegations is to delegate responsibility for a segment of the DNS namespace to someone else. For example, the domain "ns1.com" is segmented such that "help.ns1.com" is sub-delegated to the team managing this Help Center. However, there may be different requirements for setting up DNSSEC on a sub-delegation than on its parent zone.

Note

Refer to this article for instructions on how to enable DNSSEC on a top-level (primary) zone.

Warning

NS1 recommends testing the configuration below on a designated "test zone" before configuring on production zones.

Instructions

Note

The instructions below assume the zone is delegated to NS1 already and that DNSSEC is not yet enabled at the registrar.

  1. Create a zone and sub-delegation on the NS1 Connect platform.

  2. Within the parent zone, create an NS record for the child zone. This is necessary so that the DNSSEC-validating resolvers recognize whether or not the child zone is DNSSEC-secure.

    Note

    NS1 recommends configuring the NS record in the parent zone to be identical to the NS record which was automatically created in the child zone.

  3. Enable DNSSEC on both the parent and child zones. DNSSEC-secured zones display in NS1 Connect in your zones list with a shield-and-checkmark icon.

    dnssec_shield.png

    Note

    DNSSEC-enabled resolvers will not validate the responses until DS records are configured.

  4. In NS1 Connect, navigate to the Zone Settings page for the child zone and scroll to the bottom of the page. If DNSSEC is enabled, a link to View Detailed Instructions appears beneath the DNSSEC option. Click this link to view a dialog box with zone-specific DNSSEC data. Copy/record this data as you will need this to create the DS record in the parent zone. Alternatively, you can do this via API. Refer to this article for details.

  5. Create the DS records within the parent zone using the child zone's DNSSEC data recorded in the previous step. The creation of the DS record creates a DNSSEC trust between the parent and child zone.

  6. Navigate to the Zone Settings page for the parent zone (the one within which you just created the DS record). Scroll to the bottom of the page, and click View Detailed Instructions beneath the enabled DNSSEC configuration option. Click this link to view a dialog box with zone-specific DNSSEC data (for the parent zone). Copy/record this data as you will need to provide it to the domain's registrar.

  7. Copy and paste the data retrieved from the previous step—including key tag, algorithm, flags, digest, digest type, DNSKEY—to the portal of your domain’s registrar. Instructions vary based on the registrars.

  8. Once the updates propagate, check to ensure functionality is working properly by inputting the domain name into a public DNSSEC authentication tool, such as https://dnssec-debugger.verisignlabs.com/.

    Once the registrar updates the delegation information and includes the DS record, the DNSSEC-aware resolvers will start to validate the created zone and its child zone.

Related articles