Jul 23, 2025 — Edge DNS and Shield NS53 updates

Edge DNS

This release includes these updates:

  • Splunk, Google Security Operations, and Sentinel SIEM integration. You can now push infrastructure security analytics data to these common SIEMs: Google Security Operations (formerly known as Chronicle), Splunk, and Microsoft Sentinel.
  • Zone Protection SIEM integration. You can now push Zone Protection events such as high-priority related domains to a SIEM destination. This allows for consolidation and correlation of DNS events.
  • DNS Hijacking detector. Infrastructure Security Analytics now detects DNS hijacking. For many of the known open resolvers, Security Analytics tests for resolution of domain names, looks for appropriate responses, and alerts when the answers are changing. Knowing these behaviors can provide context for security posture.
  • ServiceNow integration for CNAME dangler mitigation. You can now automatically push events for dangling CNAMEs to ServiceNow. This feature gives you the data you need to investigate events as they are detected and efficiently mitigate risk to your organization.
  • Multi-signer DNSSEC support (Limited Availability). Multi-signer now provides RFC 8901 Model 2 support. This feature allows multiple DNS providers to DNSSEC sign a multi-provider, high-availability configuration. The capability offers DNSKEY support for third parties. It notifies a URL from a webhook setting when new DNSKEYs are available for other DNS providers serving the zone to pull and add to their configuration.

❗️

After September 30, 2025, ​Akamai​ will not show or retain the full zone history for changes that are older than one year. If the history item is older than one year, it will appear in the Zone History without a link to the zone record or records.

Shield NS53

This release includes these Shield NS53 updates:

  • Apex aliasing. In a shield zone configuration, you can now specify a domain name as an apex alias. This allows Shield NS53 to resolve apex queries with the result of the provided domain. Without an apex alias setting, Shield NS53 forwards traffic to the origin for answers to then cache and provide to queries. This workflow mitigates an Internet-wide DNS constraint that does not allow CNAME records at the apex of a DNS zone. CNAME records are a common way for third-party service providers to onboard traffic to their platforms.
  • Service IP names. Shield NS53 provides names for service IP addresses. You can now use the names or the A/AAAA IP addresses for those names. This removes the step to define glue records.
  • EDNS0 Client Subnet (ECS) setting. For queries forwarded to the origin, you can now enable the EDNS client subnet setting to have the origin provide answers relative to the client’s source resolver IP address and the user’s location.