Skip to main content

Please log in for full Help Center access

DNSSEC Quick Start

Updated

DNSSEC Quick Start Guide

DNSSEC is a set of extensions to the DNS protocol designed to add security to DNS responses, specifically to prevent malicious forging of DNS data. DNSSEC provides a method to authenticate the validity of a DNS response (so that you know it came from the authoritative source), data integrity (so that you know the answer has not been changed) and an authenticated denial of existence (so that you can know that if an answer should not be available). DNSSEC helps protect your users by providing cryptographic assurance that your answers have not been vandalized or spoofed.

Restrictions

UI Portal Only: DNSSEC is currently available on the UltraDNS Managed Services Portal (https://portal.ultradns.com) and the associated API (http://ultra-api.ultradns.com:8008/UltraDNS_WS/v01?wsdl).

  • Future support is planned for Mobile (Android and iPhone) versions of UltraDNS.

Considerations

Test First: We strongly recommend that you gain experience with the features and workflow of DNSSEC before signing your mission-critical domains. Test DNSSEC with a low-query volume or small non-production test domain before signing your production domains.

Service charge impact: DNSSEC is a protocol enhancement to DNS, and therefore UltraDNS does not charge for the feature. However, there may be some billing impact when security is added to a zone:

  • DNSSEC increases Resource Record Count: DNSSEC will increase the number of resource records within a zone and may have a marginal effect on your service charges. Review your contract for resource record count caps to assure that signing a zone or zones will not exceed your contracted resource record count.

    • For “simple” domains that do not delegate subdomains outside of the zone, the resource record count may increase up to three times (3x) compared to an unsigned zone. This is due to the addition of RRSIG for each unique hostname and NSEC3 resource records for each RRSET.

    • For domains that have many delegations, the record count may increase up to five times for each secured delegation-- for example, typically two DS, one RRSIG and one NSEC3.

  • DNSSEC may increase DNS queries: There may be an increase in query count for DNSSEC signed zones compared to zones without DNSSEC. We anticipate this to be marginal, but it is very difficult to reliably replicate in lab environments. Your mileage may vary. There are many variables:

    • A domain with multiple delegated subdomains may be subjected to increase query load due to remote resolvers looking for validation information of the subdomains through the chain of trust.

    • DNSSEC will increase the size of DNS query responses. Response packets may exceed maximum transmission unit (MTU) of a device in the network path between the server and validating resolver. If the packet exceeds the MTU, the packet may be dropped, which may in turn trigger the validating server to query for an answer again (for example, with a smaller EDNS0 buffer size or over TCP).

    • Low resource record TTL values mean that validation information is not cached, and must therefore be queried more frequently.

  • DNSSEC validation and short Resource Record Time To Live (TTL):TTL values under five minutes for any record secured with DNSSEC may not be cached long enough for remote resolvers to validate. Recursive resolver behavior is undefined—they may re-query for the records necessary to validate, or in some cases they may fail the query.

  • Domain management workflow changes with DNSSEC: Without DNSSEC, changes to zone records propagate immediately. With DNSSEC, zone changes are queued until you click Re-sign in the portal. The portal will indicate the need to re-sign the zone when a signed zone changes.

  • Annual Registrar Update: For each signed domain, you will be responsible for publishing a set of DS resource records with your Domain Registrar. The DS resource records are presented to you in the UltraDNS Portal. This procedure must be done when the zone is initially signed and then is scheduled to roll annually.

How to enable DNSSEC

DNSSEC support is optional. If you would like to use DNSSEC, contact UltraDNS Customer Support. Include DNSSEC request in the subject line and include your customer login name in the body. Please allow 24 hours to process the request.

Once enabled for your account, DNSSEC is available to your account through three different paths:

  • UltraDNS Managed Service Portal: Open the Domain Services tab, select your domain, and then open the DNSSEC tab. This screen offers DNSSEC controls, a summary of DNSSEC Policy, the key roll schedule and necessary DS resource records for the domain. Use this screen to add DNSSEC security to a domain.

  • UltraDNS Zone Transfer Service:UltraDNS service will accept zones signed with DNSSEC, and will serve the signed domain as secondary on UltraDNS.

    UltraDNS Application Programming Interface (API): All the controls available within the Portal are also available within the API.

How to add DNSSEC to a domain

Quick Path

  1. UltraDNS Managed Services Portal > Domain > select a domain > DNSSEC > Sign.

  2. Provide the DS resource records to your domain registrar.

Full directions

  1. Sign into the UltraDNS Managed Services Portal.

  2. Click on Domains from the Navigation pane, and select a domain from your domain list, and the Records page appears.

    • (If you do not have a domain, you will have to create one first. (Instructions on how to create a domain are available in the Managed Services Portal User Guide.)

 

 

  1. Click the DNSSEC header tab. Take a moment to review the DNSSEC policies, Key Signing Key (KSK), DS Resource Records, and Zone Signing Key sections.

    • If this domain has not been signed previously the KSK, DS and ZSK sections will be empty.

 

 

  1. Click Sign in the Zone Status section. Depending on the size of the zone, signing should only take a few seconds. (Note the screen will not refresh automatically. You may queue the screen to refresh by selecting the DNSSEC tab again.) A confirmation message will appear when signing is complete.

  2. The zone is now signed with DNSSEC, but it is not yet available to be validated by remote resolvers.

    1. Review the information found under DS Resource Records. This is the set of resource records that are used to validate secure delegation from the parent of your domain.

    2. Send the related DS Resource Records to your domain registrar. When they have published the DS resource records in the parent domain, then your domain is secured with DNSSEC.

  3. When you make a change to your domain’s resource records, the Portal will queue the change and display a message that you need to re-sign the zone. To re-sign the zone, click the DNSSEC header and click Re-sign in the Zone Status section.

Known Limitations & Workarounds

  • Portal “zone export” feature: The zone export feature allows you to make a copy of the zone data in BIND format. Currently, DNSSEC RRTYPE fields in the zone export are written with type-code instead of RRtype mnemonic. This is only cosmetic, and limited to the zone export feature. (The UltraDNS Resolvers will respond to zone transfers requests and queries as expected.) This will be addressed in an upcoming release. If you need a copy of the zone in BIND format in the interim, you may retrieve it through zone transfer or request a copy through UltraDNS Customer Care.

  • The Key Roll schedule for KSK and ZSK is set automatically in the system, based on the first signing event. Contact UltraDNS Customer Care if you need to change a key roll date or schedule an emergency key roll. An upcoming release will add support for changing the key roll schedules.

  • The UltraDNS Portal automatically generates the necessary DS resource records necessary for secure delegation from the parent domain; however, the portal does not currently provide a place to add DS resource records for delegated subdomains. Support for DS resource records for delegation will be added shortly. If this is necessary in the interim, contact Customer Care.

As always, Support is here to help at either +1 (844) 929-0808, Options 1 - 2, or at https://www.ultraproducts.support.

 

Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles