Skip to main content Skip to search


With NS1, you can use all the advanced traffic management capabilities of our platform on your DNSSEC signed zones.

Many organizations have held back from using DNSSEC because doing so meant giving up the DNS traffic management capabilities they rely on to deliver high quality online services. It does not have to be that way. With NS1, you can use all the advanced traffic management capabilities of our platform on your DNSSEC signed zones.

DNSSEC in Brief

The Domain Name System Security Extensions (DNSSEC) provide a very effective defense against so-called “cache poisoning attacks.” These attacks seek to place false information in DNS resolvers – false information that causes the resolvers to send your end users to websites operated by the attackers themselves rather than to your website. Because of the serious consequences of such attacks, more and more security aware enterprises are protecting their DNS zones with DNSSEC.

All DNSSEC Implementations Are Not Created Equal

All DNSSEC implementations are not the same and the differences have consequences to your business. It is generally easier for DNS providers to implement DNSSEC using what is known as “offline signing.” Unfortunately this approach is incompatible with DNS traffic management features such as georouting, monitoring, and load balancing. In effect, it takes DNS back to the 1990’s when no traffic management was available.

At NS1 we took the extra steps to implement DNSSEC using “online signing.” By securely signing DNS responses on the fly we retain support for all the real time DNS traffic management features of our platform for zones secured with DNSSEC. This is a big win for our customers as they can use DNS to optimize end user experience, manage multiple CDN providers and migrate to the cloud while ensuring their zones (and by extension, their end users) are protected.

DNSSEC can also complicate maintaining a redundant, dual DNS architecture. Some providers cannot support DNSSEC and also function as a secondary DNS to another provider, or be primary in a dual provider set-up. NS1 supports dual provider configurations. We also support DNSSEC with our own managed DNS solution for redundancy, Dedicated DNS. This allows our customers to deploy DNSSEC in a redundant architecture while retaining full traffic management capabilities.

Finally, set up and management of DNSSEC on the NS1 platform is easy and straightforward. A zone can be signed in seconds with a couple of mouse clicks or via a single call to our API.