Enable DNSSEC

This section describes how to enabling DNSSEC on an Edge DNS zone as well as how to disable zone signing.

Workflow for enabling DNSSEC

Enabling DNSSEC on a zone comprises the following high-level steps.

  1. Complete the prerequisite tasks, which include determining which DNSSEC option you plan to use: Sign and Serve, or Serve.

  2. Depending on which option you chose in the previous step, complete one of these procedures:

  3. Provide information to the zone registrar

Prerequisite tasks

Complete the following prerequisite tasks prior to enabling DNSSEC.

ūüďė

Contract must include the Security Option

Your Edge DNS contract must include the Security Option before enabling DNSSEC.

  1. Determine which DNSSEC option you plan to use.

    • DNSSEC Sign and Serve. When you enable Sign and Serve, ‚ÄčAkamai‚Äč automatically sets up DNSSEC for this zone and generates a new Zone Signing Key (ZSK) and Key Signing Key (KSK) pair. ‚ÄčAkamai‚Äč manages signing the zone, key rotation, and serving the zone.
    • DNSSEC Serve. Serve is supported for secondary zones. When you enable Serve, you manage signing the zone and key rotation on your primary nameservers, and ‚ÄčAkamai‚Äč serves the signed zone.
  2. Enable TSIG support on the zone.

  3. Set up zone transfer using ‚ÄčAkamai Control Center‚Äč.

  4. Update the zone file information on your name servers.

  5. Ensure that the zone file has correctly propagated on your name servers.

  6. Provide your registrar with the DNS key record available from ‚ÄčAkamai Control Center‚Äč.

Enable DNSSEC for a new zone

Use ‚ÄčAkamai Control Center‚Äč to enable DNSSEC. The steps you need to complete depend on the DNSSEC option you're using.

If you currently sign your zones and would like to use DNSSEC Sign and Serve, continuous signing is not supported. Before you configure the zone on ‚ÄčAkamai Control Center‚Äč, you must:

  • Remove the existing delegation signer (DS) record.
  • Wait out the TTL for the DS record.

Then continue with the next instructions for the type of DNSSEC you want to configure.

Enable Sign and Serve for a new zone

  1. On ‚ÄčAkamai Control Center‚Äč, go to ‚ėį > DNS SOLUTIONS > Edge DNS.

  2. Click Add zone.

  3. From the Zone type menu, select a zone type: Primary or Secondary.

  4. In the Zone names field, enter zones names. For example, customer.example.com or customer.example.net.

  5. Select the DNSSEC Sign and Serve checkbox. Then, from the DNSSEC algorithm menu, select an algorithm.

    ūüďė

    The currently recommended algorithm is ECDSA-P256-SHA256. If you want to avoid using ECDSA, select RSA SHA-256.

  6. For secondary zones:

    1. In the Customer master name servers field, enter the IP addresses of your master name servers.

    2. From the TSIG key menu, select a TSIG key or create a new one.

  7. Click Create zone.

Enable Serve for a new secondary zone

  1. On ‚ÄčAkamai Control Center‚Äč, go to ‚ėį > DNS SOLUTIONS > Edge DNS.

  2. Click Add zone.

  3. For the Zone type, select Secondary .

  4. In the Zone names field, enter zone names. For example, customer.example.com or customer.example.net.

  5. Do not select the DNSSEC Sign and Serve checkbox.

ūüöß

Warning

Selecting this checkbox and submitting the zone would generate a new ZSK and KSK for the zone.

  1. In the Customer master name servers field, enter the IP addresses of your master name servers.

  2. From the TSIG key menu, select a TSIG key or create a new one.

  3. Click Create zone.

Enable DNSSEC for an existing zone

Use ‚ÄčAkamai Control Center‚Äč to enable DNSSEC. The steps you need to complete depend on the DNSSEC option you're using.

If you currently sign your zones and would like to use the Sign and Serve option, continuous signing is not supported. Before configuring the zone on ‚ÄčAkamai Control Center‚Äč, you must:

  • Remove the existing delegation signer (DS) record.
  • Wait out the TTL for the DS record.

Then continue with the next instructions for the type of DNSSEC you're configuring.

Enable Sign and Serve for an existing zone

  1. On ‚ÄčAkamai Control Center‚Äč, go to ‚ėį > DNS SOLUTIONS > Edge DNS.

  2. On the Zone list page, click the name of the zone you'd like to edit.

  3. On the Edit zone page, expand the Zone settings section.

  4. Select the DNSSEC Sign and Serve checkbox. Then, from the DNSSEC algorithm menu, select an algorithm.

    The currently recommended algorithm is ECDSA-P256-SHA256. If you want to avoid using ECDSA, select RSA SHA-256.

  5. For secondary zones, from the TSIG key menu, select a TSIG key or create a new one.

  6. Click Add to change list.

ūüďė

You must review and submit the change list before any changes propagate.

Enable Serve for an existing secondary zone

  1. On ‚ÄčAkamai Control Center‚Äč, go to ‚ėį > DNS SOLUTIONS > Edge DNS.

  2. On the Zone list page, click the name of the zone you'd like to edit.

  3. Expand the Zone settings section.

  4. Do not select the DNSSEC Sign and Serve checkbox.

ūüöß

Warning

Selecting this checkbox and submitting the zone would generate a new ZSK and KSK for the zone.

  1. Select a TSIG key or create a new one.

  2. Click Add to change list.

ūüďė

You must review and submit the change list before any changes propagate.

Provide information to the zone registrar

You must provide the following zone information to the registrar:

  • Authoritative name servers. To retrieve the list, on the Zone list page, click Authoritative name servers.

  • Delegation signer (DS) record or DNSKEY record.

    • If you're using DNSSEC Sign and Serve, the DS record is on the DNSSEC Sign and Serve status page.

      From the Zone list page, in the zone's DNSSEC column, click the status icon to open the DNSSEC Sign and Serve status page. This page displays the current DS record and the corresponding DNSKEY record. Government agencies must provide the DNSKEY record to their registrars, who then generate the DS record.

    • If you're using DNSSEC Serve, you already have this information as the signer of the zone and owner of the ZSK and KSK.

ūüďė

According to RFC 4035, the DS record's TTL should match the TTL of the corresponding NS record set.

Disable signing a zone

Follow this procedure to disable signing a zone that is currently being served by Edge DNS.

  1. Remove the existing delegation signer (DS) record.

  2. Wait out the TTL for the DS record.

  3. On ‚ÄčAkamai Control Center‚Äč, go to ‚ėį > DNS SOLUTIONS > Edge DNS.

  4. On the Zone list page, click the name of the zone you'd like to edit.

  5. On the Edit zone page, expand the Zone settings section and deselect the DNSSEC Sign and Serve checkbox.

  6. Click Add to change list.

  7. You must review and submit the change list before any changes propagate.

Disable signing and delete a zone

Follow this procedure to disable signing a zone that is currently being signed and served by Edge DNS, and delete the zone from Edge DNS.

  1. Remove the existing DS record.

  2. Wait out the TTL for the DS record.

  3. Update the relevant name server records in your zone file.

  4. Provide your registrar with the names of your new or original name servers.

  5. Provide the new DS record to the registrar.

    ūüďė

    Confirm change propagation

    Before continuing with the next step, confirm that the change is completely propagated.

  6. On ‚ÄčAkamai Control Center‚Äč, go to ‚ėį > DNS SOLUTIONS > Edge DNS.

  7. On the Zone list page, select the checkbox next to the zone name that you want to delete.

  8. Click Delete selected zones.