For organizations with multiple DNS providers, implementing DNSSEC can be a significant challenge. Often, different DNS providers have advanced or proprietary features and have departed from traditional DNS in which records are typically static. Each DNS provider generates a custom DNS response that cannot be pre-signed. Many providers use unique methods to implement DNSSEC signing based on their approach to traffic management.
You can use the NS1 API to configure external DNSSEC public keys (DNSKEY records), allowing you to use NS1's advanced or proprietary features with DNSSEC and multiple DNS vendors. However, note that your other DNS providers must also support the configuration of additional DNSSEC public keys to configure multi-signer DNSSEC (per Model 2 in RFC 8901) or migrate DNSSEC-enabled zones between DNS providers.
You can use the NS1 API to add multiple external DNSSEC key sets to the NS1 zone. The key set may contain multiple DNSSEC public keys (as in, DNSKEY records). For example, you might create one DNSSEC key set for each non-NS1 DNS provider that serves the zone.
Note
Currently, you can only configure external DNSSEC keys via NS1 API. This functionality is not yet available in the NS1 portal.
When you enable DNSSEC online signing for an NS1 zone, a DNSKEY record is created automatically within the zone containing public DNSSEC keys managed by NS1, including a key-signing key (KSK) and a zone-signing key (ZSK) for each enabled network. When you add one or more external DNSSEC key sets, you will notice additional answers within the zone's DNSKEY record — each answer representing one of the DNSSEC keys you specified.
Note that the DNSKEY record data does not reflect the grouping of DNSSEC key sets, so all keys appear in a single, ungrouped list of answers. The best way to view the different sets of DNSSEC keys you created, submit a GET request against /v1/zones/{zone_name}/dnssec/external_keys.
-
Before you specify one or more external DNSSEC keys within a zone, you must create the zone within the NS1 platform.
-
You must have a valid NS1 API key with DNS-related "write" permissions enabled.
-
You must enable DNSSEC on the zone before or after configuring the external DNSSEC keys; otherwise, the configuration is ignored.
Using the NS1 API, you can add one or more external DNSSEC keys via the "dnskey" object, which contains details of one or more DNSSEC public keys in the DNSKEY format. You must include this object in the request body for PUT and POST methods to create or modify the DNSSEC key sets.
While you can have multiple sets of external DNSSEC keys within a zone, you must create one set at a time. For example, you can create one DNSSEC key set corresponding to each non-NS1 provider, specifying one or multiple keys used by that provider to sign zone data. The way you group external DNSSEC keys into sets is up to you.
The example below demonstrates the dnskey object that must be included in the request body when creating or modifying a set of DNSSEC keys.
{
"dnskey": {
"ttl": 1200,
"data": [
{
"flags": 256,
"protocol": 3,
"algorithm": 13,
"public_key": "58MeBmjs+4Ry0L+DzBCKR8Y7iQnnj9mCJBvZU7uVRYJ8htKi03lKXs6YySLDSxUMk31TgWPclYc88Z2FUDuI2Q=="
},
{
"flags": 257,
"protocol": 3,
"algorithm": 13,
"public_key": "7LvMDsyZV9qy/vCzPuATbLPA5vqNmbHclp13zIDRQQiQNeBOcsS9WIaJmY+j2ZPEELz8RGq32y85K/YUgUMm2g=="
}
]
}
}
Within the dnskey object, you can specify a time-to-live (ttl) value (in seconds) for the key set. The data array contains one or more objects where each object in the array corresponds to one DNSSEC key. For each DNSSEC key, you must include the following parameters:
|
|
int |
(Required) An integer representing the DNSSEC key type. NS1 only supports two values: 256 (for ZSK) and 257 (for KSK). |
|
|
int |
(Required) Set this value to 3 to indicate this is a DNSSEC key. |
|
|
int |
(Required) A 16-bit unsigned integer representing the DNSSEC key algorithm. NS1 supports a value of 13 (ECDSA-P256-SHA256) for DNSSEC signing. Note: Specifying an algorithm other than 13 is discretionary and may cause validation failures in certain scenarios. |
|
|
string |
(Required) Public key in Base64 encoding. |
Using the NS1 API, you can create one or more DNSSEC key sets within a given zone. Again, a DNSSEC key set is just a group of DNSSEC keys. For example, you can create one key set for each DNS provider associated with a zone.
Note
You must enable DNSSEC online signing on the NS1 zone before or after configure external DNSSEC key sets; otherwise, the external key configuration will be ignored.
In addition to including the dnskey object in the request body, you must also specify the following URL path parameters:
|
|
string |
(Required) Unique name of the zone. By default, this is the same as the zone FQDN unless you applied a custom name during zone creation. |
|
|
string |
(Required) Name of the DNSSEC key set you are creating. All key set names within a zone must be unique. |
The example PUT request below creates a new DNSSEC key set with two DNSSEC keys (that is, two objects within the "data" array).
curl -X PUT -H "X-NSONE-Key: $NSONE_API_KEY" https://api.nsone.net/v1/zones/{zone_name}/dnssec/external_keys/{key_set_name} -d '{
"dnskey": {
"ttl": 1200,
"data": [
{
"flags": 256,
"protocol": 3,
"algorithm": 13,
"public_key": "58MeBmjs+4Ry0L+DzBCKR8Y7iQnnj9mCJBvZU7uVRYJ8htKi03lKXs6YySLDSxUMk31TgWPclYc88Z2FUDuI2Q=="
},
{
"flags": 257,
"protocol": 3,
"algorithm": 13,
"public_key": "7LvMDsyZV9qy/vCzPuATbLPA5vqNmbHclp13zIDRQQiQNeBOcsS9WIaJmY+j2ZPEELz8RGq32y85K/YUgUMm2g=="
}
]
}
}'
After configuring the DNSSEC key set(s) on the NS1 platform, you may need to repeat this process within your other DNS provider platforms depending on the configuration you are trying to achieve.
You can view details for all DNSSEC key sets within a given zone, or you can filter the response to focus on a particular key set by adding the name of the key set to the end of the URL path.
curl -X GET -H "X-NSONE-Key: $NSONE_API_KEY" https://api.nsone.net/v1/zones/{zone_name}/dnssec/external_keys/{key_set_name}
Using the NS1 API, you can edit external DNSSEC key set data — adding, removing, or updating keys within that set. Specify the zone name and the name of the DNSSEC key set in the URL path. Note that you cannot rename an existing DNSSEC key set.
The example POST request below modifies the existing DNSSEC key set data within a given zone.
curl -X POST -H "X-NSONE-Key: $NSONE_API_KEY" https://api.nsone.net/v1/zones/{zone_name}/dnssec/external_keys/{key_set_name} -d '{
"dnskey": {
"ttl": 1200,
"data": [
{
"flags": 256,
"protocol": 3,
"algorithm": 13,
"public_key": "58MeBmjs+4Ry0L+DzBCKR8Y7iQnnj9mCJBvZU7uVRYJ8htKi03lKXs6YySLDSxUMk31TgWPclYc88Z2FUDuI2Q==string"
},
{
"flags": 257,
"protocol": 3,
"algorithm": 13,
"public_key": "7LvMDsyZV9qy/vCzPuATbLPA5vqNmbHclp13zIDRQQiQNeBOcsS9WIaJmY+j2ZPEELz8RGq32y85K/YUgUMm2g==string"
}
]
}
}'
Changes to the external DNSSEC keys are reflected immediately.
You can remove an external DNSSEC key set from a given zone. To do this, you must specify the zone name and the name of the DNSSEC key set in the URL path.
Note
Whenever possible, NS1 recommends updating an existing external key set (POST request) method instead of deleting and recreating the key set. Otherwise, you can recreate a key set (PUT request) with a new name and then delete the old key set.
curl -X DELETE -H "X-NSONE-Key: $NSONE_API_KEY" https://api.nsone.net/v1/zones/{zone_name}/external_keys/{key_set_name}
Warning
If the zone is DNSSEC-enabled at the registrar, be sure not to delete any keys that other providers actively use.