Configuring external DNSSEC keys (API only)
Use IBM® NS1 Connect® to configure external DNSSEC public keys (DNSKEY records) to use advanced features with DNSSEC and multiple DNS vendors.
For organizations with multiple DNS providers, implementing DNSSEC can be a significant challenge. Often, different DNS providers support specific behavior, such as custom DNS responses that cannot be pre-assigned or provider-specific methods to implement DNSSEC signing based on their approach to traffic management.
Using the NS1 Connect API, you can add multiple external DNSSEC key sets to the zone that uses DNSKEY records. For example, you might create one DNSSEC key set for each DNS provider that is not IBM NS1 Connect that serves the zone.
When you enable DNSSEC online signing for an NS1 Connect zone, a DNSKEY record is automatically generated with a key-signing key (KSK) and a zone-signing key (ZSK) for each network to which the zone is published. As you add external DNSSEC key sets by using the API, each DNSSEC key is added to the DNSKEY record as a new answer.
GET request against
/v1/zones/{zone_name}/dnssec/external_keys.Before you begin
- You must have a valid NS1 Connect API key with DNS-related write permissions.
- Enable DNSSEC on the zone, otherwise the external DNSSEC key configuration is ignored.
The dnskey object
Using the API, you can add one or more external DNSSEC keys as a dnskey
object, which contains details of one or more public keys in DNSKEY format. Include this object in
the request body for PUT and POST methods to create or modify the
DNSSEC key sets.
While you can have multiple sets of external DNSSEC keys within a zone, you must create one set at a time. For example, you can create one DNSSEC key set corresponding to each provider that is not NS1 Connect, specifying one or multiple keys that are used by that provider to sign zone data. The way you group external DNSSEC keys into sets is up to you.
The following example demonstrates the dnskey object that must be included in the request body when you create or modify a set of DNSSEC keys.
{
"dnskey": {
"ttl": 1200,
"data": [
{
"flags": 256,
"protocol": 3,
"algorithm": 13,
"public_key": "58MeBmjs+4Ry0L+DzBCKR8Y7iQnnj9mCJBvZU7uVRYJ8htKi03lKXs6YySLDSxUMk31TgWPclYc88Z2FUDuI2Q=="
},
{
"flags": 257,
"protocol": 3,
"algorithm": 13,
"public_key": "7LvMDsyZV9qy/vCzPuATbLPA5vqNmbHclp13zIDRQQiQNeBOcsS9WIaJmY+j2ZPEELz8RGq32y85K/YUgUMm2g=="
}
]
}
}Within the dnskey object, you can specify a time-to-live (ttl) value (in seconds) for the key set. The data array contains one or more objects where each object in the array corresponds to one DNSSEC key. For each DNSSEC key, you must include the following parameters:
| Parameter | Description |
|---|---|
| flags (integer) | The DNSSEC key type. NS1 Connect supports two values: 256 (for ZSK) and 257 (for KSK). |
| protocol (integer) | Set this value to 3 to indicate a DNSSEC key. |
| algorithm (integer) | A 16-bit unsigned integer that indicates the DNSSEC key algorithm. NS1 Connect supports a value
of 13 (ECDSA-P256-SHA256).Note: Specifying an algorithm other
than 13 is discretionary and can cause validation failures in certain
scenarios. |
| public_key (string) | Public key in Base64 encoding. |
Creating external DNSSEC key sets
Using the API, you can create one or more DNSSEC key sets within a zone. For example, you can create one key set for each DNS provider. In addition to including the dnskey object in the request body, you must also specify the following URL path parameters:
| Parameter | Description |
|---|---|
| {zone_name} (integer) | The DNSSEC key type. NS1 Connect supports two values: 256 (for ZSK) and 257 (for KSK). |
| {key_set_name} (integer) | Set this value to 3 to indicate a DNSSEC key. |
The following example PUT request creates a new DNSSEC key set with two DNSSEC
keys (that is, two objects within the data array).
curl -X PUT -H "X-NSONE-Key: $NSONE_API_KEY" https://api.nsone.net/v1/zones/{zone_name}/dnssec/external_keys/{key_set_name} -d '{
"dnskey": {
"ttl": 1200,
"data": [
{
"flags": 256,
"protocol": 3,
"algorithm": 13,
"public_key": "58MeBmjs+4Ry0L+DzBCKR8Y7iQnnj9mCJBvZU7uVRYJ8htKi03lKXs6YySLDSxUMk31TgWPclYc88Z2FUDuI2Q=="
},
{
"flags": 257,
"protocol": 3,
"algorithm": 13,
"public_key": "7LvMDsyZV9qy/vCzPuATbLPA5vqNmbHclp13zIDRQQiQNeBOcsS9WIaJmY+j2ZPEELz8RGq32y85K/YUgUMm2g=="
}
]
}
}'After you configure the DNSSEC key set on the NS1 Connect platform, you might need to repeat this process within your other DNS provider platforms.
View external DNSSEC key set details
You can view details for all DNSSEC key sets within a zone or set the {key_set_name} query parameter to filter the response to return details for an individual key set.
curl -X GET -H "X-NSONE-Key: $NSONE_API_KEY" https://api.nsone.net/v1/zones/{zone_name}/dnssec/external_keys/{key_set_name}Modify external DNSSEC key sets
Using the NS1 Connect API, you can edit external DNSSEC key set data by adding, removing, or updating keys within that set. Specify the zone name and the name of the DNSSEC key set in the URL path. You cannot rename an existing DNSSEC key set.
The following example POST request modifies the existing DNSSEC key set data
within a zone.
curl -X POST -H "X-NSONE-Key: $NSONE_API_KEY" https://api.nsone.net/v1/zones/{zone_name}/dnssec/external_keys/{key_set_name} -d '{
"dnskey": {
"ttl": 1200,
"data": [
{
"flags": 256,
"protocol": 3,
"algorithm": 13,
"public_key": "58MeBmjs+4Ry0L+DzBCKR8Y7iQnnj9mCJBvZU7uVRYJ8htKi03lKXs6YySLDSxUMk31TgWPclYc88Z2FUDuI2Q==string"
},
{
"flags": 257,
"protocol": 3,
"algorithm": 13,
"public_key": "7LvMDsyZV9qy/vCzPuATbLPA5vqNmbHclp13zIDRQQiQNeBOcsS9WIaJmY+j2ZPEELz8RGq32y85K/YUgUMm2g==string"
}
]
}
}'Changes to the external DNSSEC keys are reflected immediately.
Delete an external DNSSEC key set
To remove an external DNSSEC key set, specify the zone name and the DNSSEC key set name in the URL path.
PUT request) with a new name and
then delete the old key set.curl -X DELETE -H "X-NSONE-Key: $NSONE_API_KEY" https://api.nsone.net/v1/zones/{zone_name}/external_keys/{key_set_name}