On The Fly Signing
As of September 2019, a new form of signing called On the Fly signing is implemented. This new signing method is applied to any new zones created after September 13th, 2019, or to those zones that are unsigned, and then signed again.
On the Fly signing removes some of the previous signing restrictions, and also provides an automatic resigning capability whenever changes are made to your zone. On the Fly Signing also introduces a new algorithm for Authenticated Denial of Existence: NSEC On the Fly. Like NSEC3, this algorithm prevents zone walking, but is also compatible with On the Fly Signing. Those zones that are already signed will not see any changes, nor will your Delegation Signer (DS) records be impacted.
Legacy DNSSEC
The legacy version of DNSSEC utilizes Next Secure (NSEC3) when signing a zone. An NSEC3 record provides a "pointer" to the next name (record type does not matter) in a zone. NSEC3 records are commonly used if there is a risk of someone "crawling" your domains. Meaning, someone continues to query zone names to determine valid results to then perpetrate an attack using the pointer response (from a NSEC record) to confirm the existence of specific zone names.
Unlike NSEC records though, NSEC3 uses a hashing method making it more difficult for zones to be walked. For example, if you queried for b.example.com to see if the zone existed, and the results returned displayed a.example.com-c.example.com, then you could determine that b.example.com does not exist, as it would reside between the a.example.com and c.example.com hashes. This method introduces greater cryptographic validations, but at the cost of more complicated DNS configurations.
DNSSEC Details
DNSSEC authenticates the response origin and denial of existence of a zone. UltraDNS makes it easy to sign and maintain the necessary keys and resource records, including the following:
-
RRSIG: crypto signature of RR data
-
DNSKEY (public keys)
-
ZSK (signs zone data)
-
KSK (signs the zone)
-
-
DS (Digital Signer) verifies trust; secure pointer to checksum of KSK. Similar to an NS record, but instead of delegating authority, the DS record delegates trust.
- NSEC authenticates denial of existence (NXDOMAIN).
-
All Advanced Features are supported by On the Fly signing.
DNSSEC Restrictions and Recommendations
UltraDNS has the following limitations and recommendations to zone signing:
-
DNSSEC does not support Alias Zones.
-
Every record in a DNSSEC-enabled zone is signed, so responses to a query for a record include the record and an RRSIG record; this increases the record query count.
-
UltraDNS does not recommend setting TTLs for DNSSEC enabled zones to less than 5 minutes. (Go to Accounts, and then click TTL Settings.).
-
UltraDNS queues changes to the zone; you must re-sign the zone to complete the changes (open the DNSSEC tab and click Re-sign).
If you are interested in using DNSSEC and do not see the DNSSEC tab when you open a domain, contact UltraDNS Support.
Signing a Zone
To sign a zone:
-
Click the Domain Services tab and select the domain you want to sign.
-
Click the DNSSEC tab.
-
Under the Zone Status section, click the Sign button.
-
UltraDNS queues the request and creates the RRSIG, DS, and DNSKEY records.
-
The Change Comment field is an optional field that allows you to provide a free text explanation for the action taken. The Change Comments will be visible in the Audit Log.
-
-
Once the signing process is complete, you will see details in the DNSSEC Policies, Key Signing Key (KSK), DS Resource Records, and the Zone Signing Key (ZSK) sections populate.
Re-Sign a Zone
Once a zone has been signed, any additional changes to the zone (i.e. new or updated records) will require the zone to be re-signed. With the NSEC_ON_THE_FLY signing method, any changes to your record or zone will automatically trigger the zone to be re-signed. If however, you wish to manually resign your zone, you can click the RE-SIGN button.
Unsign a Zone
If you no longer want to have your zone signed, you can click the UNSIGN button. A confirmation screen will appear with additional details reminding you to verify your Delegation Signer (DS) records before confirming the process.
Click the Confirm button to complete the Unsign action for your zone. As a reminder, this process is irreversible. You will have to re-sign a zone in the future which will require new Key Signing Keys and Zone Signing Keys.