FAQs: DNSSEC

Refer to the frequently asked questions below related to DNSSEC online signing for zones on the IBM® NS1 Connect® platform.

How long does it take to enable DNSSEC on a zone?
Enabling DNSSEC on a zone is an instant operation. The IBM NS1 Connect® portal employs DNSSEC online signing to sign the DNS responses. When you successfully enable DNSSEC on a primary zone in IBM NS1 Connect®, that zone displays in your zones list with a shield-and-checkmark icon.
How often are zone-signing keys (ZSK) and key-signing keys (KSK) rolled?
Currently, ZSK and KSK are not rolled regularly. NS1 uses the ECDSA P256 algorithm, deemed safe now and for the foreseeable future. In case of an emergency, NS1 can roll the ZSK transparently. However, the DNS protocol does not allow transparent KSK roll, so NS1 would coordinate with the customer if the roll was needed.
Can I upload custom keys to NS1 and the registrar?
No, you cannot upload a custom DNSSEC signing key.
Do delegation signer (DS) records expire?
DS records are published in the parent zone and included in the response as a part of the delegation. The records have no explicit expiration but need an associated signature that can expire. As the records exist in the parent zone, their signatures are maintained and updated by the operator of the parent zone, in most cases, by the TLD registry.
Is it safe to modify zone configuration concerning DNSSEC?
Until the zone is securely delegated at the registrar (i.e., the DS record is published), the DNS resolvers do not expect the zone to be signed—therefore, it is safe to modify any DNSSEC-related zone configuration and conduct testing.

Before providing the DS record to the registrar, make sure DNSSEC has been enabled for the time necessary for all resolvers to expire records for the zone before DNSSEC was enabled. The SOA record minimum-TTL value specifies the required time in seconds (see nx_ttl for the zone in the NS1 API).

After the DS record has been published in the delegation, you should avoid disabling DNSSEC on the zone, as this can lead to DNSSEC validation errors.

Can the IBM NS1 Connect® platform serve a zone that has been DNSSEC-signed by myself or another provider?
DNSSEC is supported on zone transfers from the primary zone (hosted elsewhere) to the secondary zone (hosted by NS1) in which an NSEC or NSEC3 record provides authenticated denial of existence. Contact the customer support team if you have any questions or need assistance.