This article describes a feature in Public Beta.
This article describes a feature that is only available to the new plans.
Table of Contents
- DNSSEC Scenarios
- Managing DNSSEC
- Enable DNSSEC
- Disable DNSSEC
- Key Rotation
- Troubleshooting DNSSEC configurations
DNSSEC provides a way to cryptographically build a chain of trust from the root name servers all the way through to authoritative name servers. Authenticating resolvers may then verify this chain of trust to ensure the DNS results were not tampered with while in transit.
We currently support DNSSEC in the following ways:
- If your domain is registered through DNSimple and you are using our authoritative name servers, then you may sign zones and insertion and rotation of your DS record is handled automatically.
- If your domain is registered through DNSimple but host your DNS with another authoritative DNS provider, then you may add DS records for DNSSEC-enabled zones.
- If your domain DNS is hosted through DNSimple, but your domain is registered elsewhere, then you may sign zones in our name servers, but you will be required to handle the creation and rotation of DS records.
We do not support DNSSEC for zones using our outbound secondary DNS feature at this time.
DNSSEC is applied on a per-domain basis. You may manage DNSSEC by going to a domain’s management page and using the DNSSEC tab.
To enable DNSSEC, click on the “Configure DNSSEC” link once you’re on the DNSSEC management page for a domain.
Then click on the “Enable DNSSEC” button.
If your domain is registered with DNSimple, and using our name servers, then the zone will be signed and the DS record will be created in the appropriate domain registry.
If your domain is registered with us but delegated elsewhere, then you will need to provide the DS record information from your DNS provider.
If your domain is hosted with us but registered elsewhere, then you will need to provide the DS record we give you once your zone is signed to your domain registrar. You will also need to update your DS record with your domain registrar once every 90 days as we automatically rotate both zone signing keys and key signing keys.
Warning: If your domain is registered with another domain registrar, then you should remove the DS record from that registrar before removing the zone signing from DNSimple.
To disable DNSSEC, go to the DNSSEC tab for the domain, and click on the Configure DNSSEC link again.
Click on the Delete DNSSEC Configuration button to remove the zone signing and the DS record if it is present.
DNSimple currently rotates both key signing keys and zone signing keys every 90 days. You cannot disable auto-rotation, it is mandatory.
- If your domain is both registered with us and uses our authoritative name servers: we will handle rotation of keys automatically.
- If your domain is NOT registered with us or DOES NOT uses our authoritative name servers: you will receive an email notification whenever key rotation starts, with the new DS record, and you will need to rotate the DS records at your domain registrar within 3 days.
Failure to update the DS record at your registrar will result in downtime
Please consider carefully whether you are able and willing to rotate DS records at your registrar if your domain is not registered with DNSimple. It is essential that DS records are updated whenever DNSSEC keys are rotated in your DNSimple zone. If you do not update your DS record when your keys change, then your domain will fail to resolve through resolvers that verify DNSSEC keys, including Google’s Public DNS. This will result in failed DNS resolution for your domains.
During the key rotation both the old and new keys will be attached to your zone for 3 days (the duration of the key rotation period). At the end of the rotation period our system will remove the old key leaving only the new key in place.
Troubleshooting DNSSEC configurations
The following tools may be helpful in troubleshooting DNSSEC configuration issues:
You may also contact DNSimple support if you have additional questions.