Multi-signer DNSSEC

Multi-signer DNSSEC allows a zone to be served by multiple authoritative DNS providers with DNSSEC signing enabled. Organizations use this setup to support redundancy and implement advanced traffic management across providers.

Multi-signer DNSSEC consists of two operating models. IBM® NS1 Connect® supports model 2 where each DNS provider uses a unique zone signing key (ZSK) and key signing key (KSK). For more information about multi-signer models, see RFC 8901.

Key concepts

Understanding the following concepts helps when you configure multi-signer DNSSEC:

  • DNSKEY record: Stores DNSSEC public keys for a zone.
  • DNSKEY record set: The complete set of public keys (KSK and all ZSKs) served by a DNS provider.
  • Key-signing key (KSK): Signs the DNSKEY record set.
  • Zone-signing keys (ZSKs): Signs all the other DNS records within the zone.
  • Delegation signer (DS) record: Stored in the parent zone and used to establish trust from the parent zone to the child zone's KSK.

For more information about the different types of DNS records, see Types of DNS records.

How multi-signer DNSSEC works

Multi-signer DNSSEC requires all DNS providers managing a zone to serve an identical DNSKEY record set. This DNSKEY record set includes the public keys used by every provider for that zone. This enables DNS resolvers to validate responses from any provider during query resolution.

However, a common challenge in multi-signer DNSSEC setups is that each authoritative DNS provider performs DNSSEC signing using its own set of keys. To address this,
  • You must add all providers' DNSKEY records to each participating provider to ensure that every provider serves the complete DNSKEY record set for the zone.
  • You must configure the DS record in the parent zone for each KSK used by each participating provider. For second-level domains, configure the DS records through the domain registrar interface.
  • If DNSSEC signers rotate their signing keys regularly, you must update the corresponding DNSKEY and DS records.

After you establish a shared DNSKEY record set across all providers and configure the corresponding DS records, each provider can perform DNSSEC signing independently. DNS resolvers can then validate responses regardless of which provider responds to the query.

Multi-signer DNSSEC with NS1 Connect

NS1 Connect participates in multi-signing DNSSEC by allowing you to:
  • Add external DNSSEC public keys (DNSKEY records) to NS1 Connect to include the signing keys used by other DNS providers.
  • Retrieve NS1 Connect managed DNSSEC records for use with other DNS providers.

This ensures that NS1 Connect can operate as one of multiple signing authoritative provider for a zone while DNSSEC is enabled.

Getting started

To set up multi-signing DNSSEC in NS1 Connect, see Configuring external DNSSEC keys (API only).

After you have added all external DNSSEC keys for a zone in NS1 Connect, repeat the process on every authoritative DNS provider serving that zone. Refer to each provider’s documentation to complete the configuration.