DNSSEC

Table of Contents

• DNSSEC Scenarios
• Managing DNSSEC
• Enable DNSSEC
• Disable DNSSEC
• Key Rotation
• Troubleshooting DNSSEC configurations

DNSSEC provides a way to cryptographically build a chain of trust from the root name servers all the way through to authoritative name servers. Authenticating resolvers may then verify this chain of trust to ensure the DNS results were not tampered with while in transit.

DNSSEC Scenarios

We currently support DNSSEC in the following ways:

• If your domain is registered through DNSimple and you are using our authoritative name servers, then you may sign zones and insertion and rotation of your DS record is handled automatically.
• If your domain is registered through DNSimple but host your DNS with another authoritative DNS provider, then you may add DS records for DNSSEC-enabled zones.
• If your domain DNS is hosted through DNSimple, but your domain is registered elsewhere, then you may sign zones in our name servers, but you will be required to handle the creation and rotation of DS records.

We do not support DNSSEC for zones using our outbound secondary DNS feature at this time.

Managing DNSSEC

DNSSEC is applied on a per-domain basis. You may manage DNSSEC by going to a domain’s management page and using the DNSSEC tab.

Enable DNSSEC

To enable DNSSEC, click on the “Configure DNSSEC” link once you’re on the DNSSEC management page for a domain.

Then click on the “Enable DNSSEC” button.

If your domain is registered with DNSimple, and using our name servers, then the zone will be signed and the DS record will be created in the appropriate domain registry.

If your domain is registered with us but delegated elsewhere, then you will need to provide the DS record information from your DNS provider.

If your domain is hosted with us but registered elsewhere, then you will need to provide the DS record we give you once your zone is signed to your domain registrar. You will also need to update your DS record with your domain registrar once every 90 days as we automatically rotate both zone signing keys and key signing keys.

Disable DNSSEC

Warning: If your domain is registered with another domain registrar, then you should remove the DS record from that registrar before removing the zone signing from DNSimple.

To disable DNSSEC, go to the DNSSEC tab for the domain, and click on the Configure DNSSEC link again.

Click on the Delete DNSSEC Configuration button to remove the zone signing and the DS record if it is present.

Key Rotation

DNSimple currently rotates both key signing keys and zone signing keys every 90 days. You cannot disable auto-rotation, it is mandatory.

• If your domain is both registered with us and uses our authoritative name servers: we will handle rotation of keys automatically.
• If your domain is NOT registered with us or DOES NOT uses our authoritative name servers: you will receive an email notification whenever key rotation starts, with the new DS record, and you will need to rotate the DS records at your domain registrar within 3 days.

During the key rotation both the old and new keys will be attached to your zone for 3 days (the duration of the key rotation period). At the end of the rotation period our system will remove the old key leaving only the new key in place.

Troubleshooting DNSSEC configurations

The following tools may be helpful in troubleshooting DNSSEC configuration issues:

• Verisign DNSSEC Debugger
• DNSViz

You may also contact DNSimple support if you have additional questions.