Enable DNSSEC

This section describes the DNSSEC options for Edge DNS and explains how to enable them.

Review the DNSSEC integration process

📘

Contract must include the Security Option

Your Edge DNS contract must include the Security Option before enabling DNSSEC.

  1. Determine which option you plan to use, Sign and Serve or Serve.

    • Sign and serve. ​Akamai​ manages signing the zone, key rotation, and serving the zone.
    • Serve. Serve supports DNSSEC for secondary zones. You manage signing the zone and key rotation on your primary nameservers. ​Akamai​ serves the signed zone.
  2. Enable TSIG support on the zone.

  3. Set up zone transfer using ​Akamai Control Center​.

  4. Update the zone file information on your name servers.

  5. Ensure that the zone file has correctly propagated on your name servers.

  6. Provide your registrar with the DNS key record available from ​Akamai Control Center​.

Enable DNSSEC for a new zone

Use ​Akamai Control Center​ to enable DNSSEC. The steps you need to complete depend on the DNSSEC option you're using.

If you currently sign your zones and would like to use DNSSEC Sign and Serve, continuous signing is not supported. Before you configure the zone on ​Akamai Control Center​, you must:

  • Remove the existing delegation signer (DS) record.
  • Wait out the TTL for the DS record.

Then continue with the next instructions for the type of DNSSEC you're configuring.

Enable Sign and Serve for a new zone

  1. On ​Akamai Control Center​, go to > DNS SOLUTIONS > Edge DNS.

  2. Click Add zone.

  3. From the Zone type menu, select a zone type: Primary or Secondary.

  4. In the Zone names field, enter zones names. For example, customer.example.com or customer.example.net.

  5. Select the DNSSEC Sign and Serve checkbox. Then, from the DNSSEC algorithm menu, select an algorithm.

    The currently recommended algorithm is ECDSA-P256-SHA256. If you want to avoid using ECDSA, select RSA SHA-256.

  6. For secondary zones:

    1. In the Customer master name servers field, enter the IP addresses of your master name servers.

    2. From the TSIG key menu, select a TSIG key or create a new one.

  7. Click Create zone.

Enable Serve for a new secondary zone

  1. On ​Akamai Control Center​, go to > DNS SOLUTIONS > Edge DNS.

  2. Click Add zone.

  3. For the Zone type, select Secondary .

  4. In the Zone names field, enter zone names. For example, customer.example.com or customer.example.net.

  5. Do not select the DNSSEC Sign and Serve checkbox.

🚧

Warning

Selecting this checkbox and submitting the zone would generate a new ZSK and KSK for the zone.

  1. In the Customer master name servers field, enter the IP addresses of your master name servers.

  2. From the TSIG key menu, select a TSIG key or create a new one.

  3. Click Create zone.

Enable DNSSEC for an existing zone

Use ​Akamai Control Center​ to enable DNSSEC. The steps you need to complete depend on the DNSSEC option you're using.

If you currently sign your zones and would like to use the Sign and Serve option, continuous signing is not supported. Before configuring the zone on ​Akamai Control Center​, you must:

  • Remove the existing delegation signer (DS) record.
  • Wait out the TTL for the DS record.

Then continue with the next instructions for the type of DNSSEC you're configuring.

Enable Sign and Serve for an existing zone

  1. On ​Akamai Control Center​, go to > DNS SOLUTIONS > Edge DNS.

  2. On the Zone list page, click the name of the zone you'd like to edit.

  3. On the Edit zone page, expand the Zone settings section.

  4. Select the DNSSEC Sign and Serve checkbox. Then, from the DNSSEC algorithm menu, select an algorithm.

    The currently recommended algorithm is ECDSA-P256-SHA256. If you want to avoid using ECDSA, select RSA SHA-256.

  5. For secondary zones, from the TSIG key menu, select a TSIG key or create a new one.

  6. Click Add to change list.

📘

You must review and submit the change list before any changes propagate.

Enable Serve for an existing secondary zone

  1. On ​Akamai Control Center​, go to > DNS SOLUTIONS > Edge DNS.

  2. On the Zone list page, click the name of the zone you'd like to edit.

  3. Expand the Zone settings section.

  4. Do not select the DNSSEC Sign and Serve checkbox.

🚧

Warning

Selecting this checkbox and submitting the zone would generate a new ZSK and KSK for the zone.

  1. Select a TSIG key or create a new one.

  2. Click Add to change list.

📘

You must review and submit the change list before any changes propagate.

Provide inputs to the zone registrar

You must provide the following information to the registrar for the zone:

  • Authoritative name servers. To retrieve the list, on the Zone list page, click Authoritative name servers.

  • Delegation signer (DS) record or DNSKEY record. If you're using DNSSEC Sign and Serve, the DS record is provided on ​Akamai Control Center​ on the Zone list page. Click the icon in the zone's DNSSEC status column to open the DNSSEC Sign and Serve status page. This page displays the current DS record and the corresponding DNSKEY record.

    By default, the DS record's TTL is one day. According to RFC 4035, the TTL of the DS record should match the TTL of the corresponding name server record set.

    Government agencies must provide the DNSKEY record to their registrars, who then generate the DS record. If you're using DNSSEC Serve, you will have this information.

Disable signing a zone

Follow this procedure to disable signing a zone that is currently being served by Edge DNS.

  1. Remove the existing delegation signer (DS) record.

  2. Wait out the TTL for the DS record.

  3. On ​Akamai Control Center​, go to > DNS SOLUTIONS > Edge DNS.

  4. On the Zone list page, click the name of the zone you'd like to edit.

  5. On the Edit zone page, expand the Zone settings section and deselect the DNSSEC Sign and Serve checkbox.

  6. Click Add to change list.

  7. You must review and submit the change list before any changes propagate.

Disable signing before deleting a zone

Follow this procedure to disable signing a zone that is currently being signed and served by Edge DNS, and delete the zone from Edge DNS.

  1. Remove the existing delegation signer (DS) record.

  2. Wait out the TTL for the DS record.

  3. Update the relevant name server records in your zone file.

  4. Provide your registrar with the names of your new or original name servers.

  5. Provide the new DS record to the registrar.

    📘

    Confirm change propagation

    Before continuing with the next step, confirm that the change is completely propagated.

  6. On ​Akamai Control Center​, go to > DNS SOLUTIONS > Edge DNS.

  7. On the Zone list page, select the checkbox next to the zone name that you want to delete.

  8. Click Delete selected zones.


Did this page help you?