The Domain Name System Security Extensions (DNSSEC) are a series of additions to standard DNS functionality. Due to the decentralized and hierarchical nature of DNS it is possible for a malicious actor to modify (or ‘poison’) the cached answer of a recursive DNS resolver. An attacker could redirect a user from one website to a different, potentially dangerous website of their choosing.
To defend against such attacks, DNSSEC operates by offering a mechanism for recursive DNS resolvers to check the authenticity of the information received from the previous authoritative DNS server in the series of lookups required to return a DNS answer to a user.
NS1 offers DNSSEC functionality to all customers regardless of their management plan at no additional cost. DNSSEC enabled zones retain their full traffic management and advanced NS1 feature functionality.
Before proceeding with enabling DNSSEC on your domain it is important to check with your domain’s registrar to ensure they support our implementation of the feature. Your registrar should support adding DNSSEC records (DS and/or DNSKEY), support your specific TLD (top level domain), and allow for the signing of algorithm 13. More information about DNS security algorithms can be found here.
It is also important to follow the steps in the proceeding section in order to ensure there are no interruptions to service.
To enable DNSSEC you will need to proceed with the following steps.
Contact [email protected] to request your account have this function enabled.
Enable DNSSEC for each zone. This can be done via the portal in the ‘Zone Settings’ tab of the zone in question:
as well as the API:
curl -X POST -H 'X-NSONE-Key: <your-API-key>
Record the zone specific DNSSEC data that will be input at the domain’s registrar. This information is generated automatically after the feature is enabled on a zone. Users can retrieve this data by clicking the ‘View Detailed Instructions’ text next to the toggle as shown in the image above, or by sending the following GET request to our API:
curl -X GET -H 'X-NSONE-Key: <your-API-key>
Copy and paste the data retrieved from step 3 (Key Tag, Algorithm, Flags, Digest, Digest Type, Public key) to the portal of the domain’s registrar. This will vary between the different registrars so if the method of data entry is unclear please reach out to your registrar for support.
Change the delegation of your domain to our DNSSEC-enabled pool, p10, at your domain's registrar to the following nameservers:
There may be a delay at this point as the changes made at the domain’s registrar need to be processed and added to the registry.
Once those updates have propagated you can check to ensure the functionality is working properly by inputting the domain name into a public DNSSEC authentication tool such as:
A successful result will reveal an array of green check mark icons with no indication of errors.