Setting up multi-signer DNSSEC in NS1 Connect (API only)
Configure multi-signer DNSSEC to allow a zone to be managed by multiple DNS providers while maintaining DNSSEC validation.
Multi-signer DNSSEC allows a zone to be configured and managed by multiple DNS providers while having DNSSEC enabled. This configuration ensures that DNS resolvers can validate responses from any participating DNS provider. You use the API to configure multi-signer DNSSEC.
When DNSSEC online signing is enabled in IBM NS1 Connect, a DNSKEY record is automatically generated with a key signing key (KSK) and a zone signing key (ZSK) for each network. When you add external DNSKEY records, each record is added as a new answer.
Before you begin
Ensure that you have:
- DNS providers that support multi-signer DNSSEC with algorithm 13 (ECDSA- P256-SHA256). Other algorithm values can produce validation failures.
- DNSKEY records from your external DNS providers. For instructions on retrieving DNSKEY records, see your provider's documentation.
- A valid NS1 Connect API key with DNS-related write permissions.
- Enable DNSSEC on the zone, otherwise the external DNSSEC key configuration is ignored.
Procedure
Step 1: Add external DNSKEY records
Add the DNSKEY records that you retrieved from external DNS providers. In NS1 Connect, each set of external DNSKEY records is represented as a dnskey object. The dnskey object contains:
ttl: Time-to-live (in seconds) for the key set.
data: An array of DNSKEY record objects. Each record includes the following parameters: flags,protocol, algorithm, and public_key.
For each external DNSKEY record, set flags to 256 (ZSK) or 257 (KSK), protocol to 3, and algorithm to 13. Specify public_key as a base64-encoded string.
Add one DNSKEY record set at a time. Each set typically corresponds to a single external DNS provider. To add a DNSKEY record set, submit a PUT request to:
v1/zones/{zone_name}/dnssec/external_keys/{key_set_name}
For example,
curl -X PUT -H "X-NSONE-Key: $NSONE_API_KEY" https://api.nsone.net/v1/zones/example.com/dnssec/external_keys/second_provider -d '{
"dnskey": {
"ttl": 1200,
"data": [
{
"flags": 256,
"protocol": 3,
"algorithm": 13,
"public_key": "58MeBmjs+4Ry0L+DzBCKR8Y7iQnnj9mCJBvZU7uVRYJ8htKi03lKXs6YySLDSxUMk31TgWPclYc88Z2FUDuI2Q=="
},
{
"flags": 257,
"protocol": 3,
"algorithm": 13,
"public_key": "7LvMDsyZV9qy/vCzPuATbLPA5vqNmbHclp13zIDRQQiQNeBOcsS9WIaJmY+j2ZPEELz8RGq32y85K/YUgUMm2g=="
}
]
}
}'You can add multiple DNSKEY record sets for a zone. You can group external DNSKEY records into sets as needed, such as by DNS provider. However, DNSKEY record responses return all keys in a flat list and do not reflect this grouping. To view configured key sets, submit a GET request to:
/v1/zones/{zone_name}/dnssec/external_keys
Retrieve the DNSKEY records that are managed by NS1 Connect. You need these records to configure your external DNS providers.
- Submit a
GETrequest to/v1/zones/{zoneName}/dnssec. - In the API response, copy and save all the keys in the
managed_keys field.
Add the NS1 Connect DNSKEY records to each external DNS provider. For instructions, see your provider's documentation.
Validate the DNSKEY records for each DNS provider.
- Run the following command for each provider:
dig @<authoritative_dns_server> <zone_name> DNSKEY.To improve readability, use the
+multiflag:dig @<authoritative_dns_server> <zone_name> DNSKEY +multi. -
In the answer, copy and save the DNSKEY values for the zone:flags, protocol, algorithm,public_key. - Compare the DNSKEY values across all participating DNS providers to ensure that they are consistent and complete.
- If you are adding a DNS provider to a DNSSEC-enabled zone, update the DS records first, and then update the NS records.
Note: Wait at least for the DS record TTL before you update the NS records to avoid DNSSEC validation failures.
- If your zone is already managed by multiple DNS providers, but you enabled DNSSEC for the first time, update the DS records only.
To update DS records for the zone, create a DS record for each provider with the required DNSSEC values: key tag, algorithm, digest type, digest.
How you update the DS records depends on where the parent zone is managed.
If the parent zone is managed by a domain registrar:
- Submit the DNSSEC details for each provider to your domain registrar. The updated DS records are then published in the top-level domain (TLD).
- After updating the DS records at the domain registrar, DNS resolvers can successfully validate responses from all participating DNS providers.
If the zone is subdelegated:
In NS1 Connect and your other providers, create or update DS records with the DNSSEC values
Retrieve DS and KSK values
This is optional. Some registrars require both KSK and DS values when you submit DS records. Retrieve these values from NS1 Connect by submitting a GET request to:
/v1/zones/{zoneName}/dnssec
Copy the required values from the delegation field in the response.
Update NS records for the zone to include all DNS providers that are participating in the multi-signer setup. How you update NS records depends on your zone configuration.
If the parent zone is managed by a domain registrar:
Update the NS records at your domain registrar to include all authoritative DNS providers.
If the zone is subdelegated:
In NS1 Connect and your other providers, update the DS records in both the child zone and the parent zone.
After you complete these steps:
- All DNS providers serve an identical set of DNSKEY records for the zone.
- The parent zone or domain registrar contains DS records for all KSKs, and NS records are updated and consistent across the parent and child zones.
- DNS resolvers can validate responses from any participating DNS provider while DNSSEC validation is maintained.
Regularly review the DNSSEC keys for each external DNS provider in your multi- signer configuration and update the configured key sets when a provider rolls its keys. Providers can roll their KSKs, ZSKs, or both without coordination from NS1 Connect. If you do not keep the external DNSKEY record sets current, DNSSEC validation can fail for the zone.