NS1 Status

Articles in this section

See more

Enabling DNSSEC on a sub-delegation (child zone)

  • Updated
Follow

A common use case for creating subzones is to delegate responsibility for a segment of the DNS namespace to someone else. For example, the domain "ns1.com" is segmented such that "help.ns1.com" is sub-delegated to the team managing this Help Center. However, there may be different requirements for setting up DNSSEC on a sub-delegation than on its parent zone.

NOTE
Refer to this article for instructions on how to enable DNSSEC on a top-level (or primary) zone.
NOTE
NS1 recommends testing the configuration below on a designated “test zone” before running it on critical production zones.

The instructions below assume the zone is delegated to NS1 already, and DNSSEC is not yet enabled at the registrar.

To enable DNSSEC for a child zone (sub-delegation):

  1. In the NS1 portal, add a zone and a child zone (sub-delegation).

  2. Within the parent zone, create an NS record for the child zone. This is necessary so that the DNSSEC-validating resolvers recognize whether or not the child zone is DNSSEC-secure.

    NOTE
    We recommend configuring the NS record in the parent zone to be identical to the NS record which was automatically created in the child zone.

  3. Enable DNSSEC on both the parent and child zones.

    NOTE
    DNSSEC-enabled resolvers will not validate the responses until DS records are set up.

  4. Create the DS records for the child zone within the parent zone. The DS record data you should use can be found in the portal under Zone Settings for the child shown (sub.example.com) under DNSSEC config. This step creates a DNSSEC trust from example.com into sub.example.com.

  5. After enabling DNSSEC on the individual zone, click "View Detailed Instructions."

  6. Copy and paste the data retrieved from the previous step—including key tag, algorithm, flags, digest, digest type, DNSKEY—to the portal of your domain’s registrar. Instructions vary based on the registrars.

  7. Once the updates propagate, check to ensure functionality is working properly by inputting the domain name into a public DNSSEC authentication tool, such as https://dnssec-debugger.verisignlabs.com/.

    NOTE
    Some registrars may ask for the DS record. The record data is shown in the NS1 portal under Zone Settings for the parent zone under DNSSEC config.

    Once the registrar updates the delegation information and includes the DS record, the DNSSEC-aware resolvers will start to validate the created zone and its child zone.

     

Related articles