Enabling DNSSEC on a subdelegation

Typically, a DNS zone represents an entire domain and contains one or more A, AAAA, and/or CNAME records for each subdomain. In some cases, you might need to delegate responsibility for a segment of the DNS namespace to someone else, for example, if a segment of a domain (for example, help.example.com) is managed by a different DNS provider than the rest of the domain (for example, example.com). In this case, you can create a separate zone file for the subdomain and update the nameserver (NS) records within the parent zone to point to the subdomain’s nameserver(s).

You can configure DNSSEC online signing for a parent zone and a subdelegation (sometimes referred to as a child zone) by enabling DNSSEC on both zones, adding a DS record to the parent zone containing the child zone’s DNSSEC data, and then adding the DNSSEC details for the parent zone to the domain registrar.

Attention: Test the DNSSEC configuration on a designated test zone before configuring it on production zones. Note that, until you add the DS record to the parent zone, incoming queries to the subdelegated or child zone records will receive an NXDOMAIN response.

Instructions

Note: The following instructions assume both the parent and child zones are hosted on IBM® NS1 Connect®. If the parent or subdelegated or child zone is hosted by another DNS provider, then instructions might vary.
Step 1: Configure the parent zone and subdelegated or child zone

If you haven’t already done so, create the parent zone representing your overarching domain and a child zone or subdelegation representing a segment of that domain. Often, these zones are hosted by two different DNS providers so the specific instructions might vary.

  1. Create the parent zone. This must be a primary (or non-secondary) zone. Refer to Creating a primary zone for instructions.
  2. Create the subdelegation or child zone. Refer to Subdelegations and child zones for details.
  3. If you haven't already, add a new NS record to the parent zone matching the NS record found in the subdelegated/child zone.
    Attention: Do not remove any existing NS records in the parent zone.
Step 2: Enable DNSSEC on the parent zone

Refer to Enabling DNSSEC for a primary zone for instructions. If the parent zone is not hosted by NS1 Connect, refer to the respective provider’s instructions for enabling DNSSEC.

Zones with DNSSEC online signing appear in the zone list with the shield icon.



Attention: Once you enable DNSSEC on the parent zone, you must update the domain registrar with the DNSSEC-related data provided by NS1 Connect — including the key tag, algorithm, flags, digest, digest type, and public key.
Step 3: Enable DNSSEC on the subdelegated/child zone

Complete the following instructions to enable DNSSEC online signing for the child zone hosted on NS1 Connect. Note that these instructions are nearly identical to the instructions for updating a primary zone, except that, in the final step, you will apply the DNSSEC data for the subdelegation to the parent zone instead of updating the domain registrar.

Note: If the subdelegation or child zone is not hosted by NS1 Connect, refer to the provider’s instructions for enabling DNSSEC.
  1. Click DNS > Zones.
  2. Click the name of the child zone to drill down into zone details.

  3. Click the Zone settings tab.

  4. Scroll to the bottom of the page to the DNSSEC section, and then select the Enable DNSSEC checkbox.

  5. Click Save changes.
  6. A new button appears beneath the Enable DNSSEC option. Click View Detailed Instructions.

  7. Record the DNSSEC details shown, including the key tag, algorithm, digest type, digest, flags, and public key.

    You will populate the DS record in the parent zone with these details in the next step.

  8. Click Done.

Unlike the parent zone, the subdelegated/child zone delegation information is not transferred to the registrar. Instead, this information is copied to the parent zone within a DS record (see next step), which is then propagated to all systems.

Once enabled, the NS1 Connect platform autogenerates a DNSKEY record within the subdelegated or child zone.



Attention: DNSSEC-enabled resolvers don't validate the responses until the DS record is configured.
Step 4: Add a DS record to the parent zone

Next, you must establish a DNSSEC trust between the parent and child zone by creating a DS record within the parent zone that contains the DNSSEC-related data for the child zone.

  1. Click DNS > Zones.
  2. Click the name of the parent zone (for example, domain.edu) to drill down into zone details.

  3. Click the + (add) button to create a new record. The Add Record window opens.
  4. Under Record type, select DS from the list.

  5. In the name field, enter the subdomain prefix corresponding to the subdelegated/child zone (for example, sub.domain.edu).
  6. Under Answers, complete each form field with the subdelegated/child zone's DNSSEC configuration details (recorded in Step 3), including the key tag, algorithm, digest type, and digest data.
  7. Click Save record.
Step 5: Validate the configuration

Once the updates propagate, validate the configuration using a public DNSSEC authentication tool, such as https://dnssec-debugger.verisignlabs.com/. If the configuration is successful, an array of green check marks appear, indicating no errors.