DNSSEC

Table of Contents

• DNSSEC scenarios
• Managing DNSSEC
• Enabling DNSSEC
• Managing DS records
• Key rotation
• CDS/CDNSKEY
• Disabling DNSSEC
• Troubleshooting DNSSEC configurations

DNSSEC (Domain Name System Security Extensions) provides a way to cryptographically build a chain of trust from the root name servers to authoritative name servers. Authenticating resolvers may verify this chain of trust to ensure the DNS results weren’t tampered with while in transit. Check out our comics for a fun explanation of why we need DNSSEC.

DNSSEC scenarios

There are a variety of scenarios that DNSimple facilitates to ensure that your zone is signed. Use the scenarios below to understand how to configure your domain/zone.

Scenario 1: Registered and DNS-hosted at DNSimple

1. Enable DNSSEC for automatic zone signing, provisioning, and key rotation.

Scenario 2: Registered at DNSimple, but DNS-hosted elsewhere

1. Set up DNSSEC through your external DNS provider.
2. When you have the DNSSEC details, add them to your domain’s registrar using our DS management page.

Scenario 3: Registered elsewhere, but DNS-hosted at DNSimple

1. Enable DNSSEC to sign your zone. This initiates automatic key rotation.
2. After enabling, copy the DS record details over to your domain’s registrar.
3. When the key rotates every three months, we’ll send you an email with the details, which you’ll need to supply to your domain’s registrar.

Managing DNSSEC

DNSSEC is applied on a per-domain basis. DNSSEC management options are under the DNSSEC tab on a domain’s management page.

Enabling DNSSEC

1. Choose the relevant domain from your Domain List.
2. Click the DNSSEC tab on the left side.
3. On the Configure DNSSEC card, click Configure.

1. Click Enable DNSSEC.

The domain is registered with DNSimple and using our name servers

The zone is signed, and the DS record will be provisioned in the appropriate domain registry.

The domain is hosted with DNSimple but registered elsewhere

Provide the DS record we give you once your zone is signed to your domain registrar.

Update your DS record with your domain registrar once every 90 days, as we automatically rotate both zone signing keys and key signing keys.

Common warnings

A warning may be shown to highlight potential issues with enabling DNSSEC.

For example:

• The authoritative name servers for the zone are not all returning the same DNSKEY records.
• The authoritative name servers for the zone are not returning DNSKEY records that match up with the DS record or zone signing data.
• The DS record has not yet been provisioned at the registrar.

Managing DS records

You’ll be able to manage your records whether the TLD requires the DS records to be set up with the DS-Data interface or the KEY-Data interface. Read more about managing DS records.

Key rotation

DNSimple rotates key signing keys and zone signing keys every 90 days. Auto-rotation is mandatory. You can’t disable it.

• If your domain is registered with us and uses our authoritative name servers: we handle key rotation automatically.
• If your domain is not registered with us or does not use our authoritative name servers: you’ll receive an email notification with the new DS record whenever key rotation starts. You’ll need to rotate the DS records (remove the old record and add the new record) at your domain registrar within 7 days.

During the key rotation, old and new keys are attached to your zone for 7 days (the duration of the key rotation period). At the end of the rotation period, our system removes the old key, leaving only the new key in place.

Automating key rotation

If your domain registrar provides an API for managing DS records, you can automate rotation for domains registered outside DNSimple. To do this, use the dnssec.rotation_start and dnssec.rotation_complete webhook events. Read our developer documentation for more information on our webhooks API.

Manual key rotation

If your registrar requires the DNSKEY or other additional details, you can view your full DNSSEC configuration.

Locate the DNSSEC Configuration card under the DNSSEC tab of a domain’s management page.

Click View Configuration.

CDS/CDNSKEY

CDS and CDNSKEY are two record types that can be used to automatically provision and deprovision DS records at parent name servers. The parent name server provider must support CDS and/or CDNSKEY for these records to be used to automatically provision and deprovision DS records.

CDS and CDNSKEY record types are automatically generated for all DNSimple zones signed after January 1st, 2019, and for all new DNSSEC DNSKEY records created after January 1st, 2019. CDS and CDNSKEY records are managed by DNSimple. These records are not meant to be added or removed manually.

You can find details about how CDS and CDNSKEY work in RFC 8078.

DS records without a corresponding DNSKEY

When a DS record is present at your domain registrar, but there’s no corresponding DNSKEY in your zone, DNSSEC-aware resolvers will fail to resolve your domain. For example, with Google Public DNS this will result in a SERVFAIL. Clients using a non-DNSSEC-aware resolver will still be able to resolve your domain.

To fix this issue, remove the DS record from your registrar.

Disabling DNSSEC

1. Choose the relevant domain in your Domain List.
2. Click the DNSSEC tab on the left side.
3. On the the Disable DNSSEC card, click Disable DNSSEC to remove the zone signing and the DS record if it is present.

Troubleshooting DNSSEC configurations

These tools can help you troubleshoot DNSSEC configuration issues:

• Verisign DNSSEC Debugger
• DNSViz

You can also contact DNSimple support with any questions, and we’ll be happy to help.