FAQ: DNSSEC

Refer to the frequently asked questions below related to DNSSEC online signing for zones on the IBM® NS1 Connect® platform.

How long does it take to enable DNSSEC on a zone?

Enabling DNSSEC on a zone is an instant operation. NS1 Connect uses DNSSEC online signing to sign the DNS responses. When you successfully enable DNSSEC on a primary zone in NS1 Connect, that zone displays in your zones list with a shield-and-checkmark icon.

How often are zone-signing keys (ZSK) and key-signing keys (KSK) rolled?

Currently, ZSK and KSK are not rolled regularly. NS1 Connect uses the ECDSA P256 algorithm, deemed safe now and for the foreseeable future. In case of an emergency, NS1 Connect can roll the ZSK transparently. However, the DNS protocol does not allow transparent KSK roll, so NS1 Connect would coordinate with the customer if the roll was needed.

Can I upload custom keys to NS1 Connect and the registrar?

No, you cannot upload a custom DNSSEC signing key.

Do delegation signer (DS) records expire?

DS records are published in the parent zone and included in the response as a part of the delegation. The records have no explicit expiration but need an associated signature that can expire. As the records exist in the parent zone, their signatures are maintained and updated by the operator of the parent zone, in most cases, by the TLD registry.

Is it safe to modify zone configuration concerning DNSSEC?

Until the zone is securely delegated at the registrar (that is, the DS record is published), the DNS resolvers do not expect the zone to be signed; therefore, it is safe to modify any DNSSEC-related zone configuration and conduct testing.

Before providing the DS record to the registrar, make sure DNSSEC has been enabled for the time necessary for all resolvers to expire records for the zone before DNSSEC was enabled. The SOA record minimum-TTL value specifies the required time in seconds (see nx_ttl for the zone in the NS1 Connect API).

After the DS record is published in the delegation, you should avoid disabling DNSSEC on the zone, as this can lead to DNSSEC validation errors.

Can the NS1 Connect platform serve a zone that has been DNSSEC-signed by myself or another provider?

DNSSEC is supported on zone transfers from the primary zone (hosted elsewhere) to the secondary zone (hosted by NS1 Connect) in which an NSEC or NSEC3 record provides authenticated denial of existence. Contact IBM support if you have any questions or need assistance.