This section describes how to enabling DNSSEC on an Edge DNS zone as well as how to disable zone signing.

Workflow for enabling DNSSEC

Enabling DNSSEC on a zone comprises the following high-level steps.

1. Complete the prerequisite tasks, which include determining which DNSSEC option you plan to use: Sign and Serve, or Serve.

2. Depending on which option you chose in the previous step, complete one of these procedures:

   • Enable Sign and Serve for a new zone
   • Enable Serve for a new secondary zone
   • Enable Sign and Serve for an existing zone
   • Enable Serve for an existing secondary zone

3. Provide information to the zone registrar

Prerequisite tasks

Complete the following prerequisite tasks prior to enabling DNSSEC.

📘

Contract must include the Security option

Your Edge DNS contract must include the Security option before enabling DNSSEC.

1. Determine which DNSSEC option you plan to use.

   • DNSSEC Sign and Serve. When you enable Sign and Serve, ​Akamai​ automatically sets up DNSSEC for this zone and generates a new Zone Signing Key (ZSK) and Key Signing Key (KSK) pair. ​Akamai​ manages signing the zone, key rotation, and serving the zone.
   • DNSSEC Serve. Serve is supported for secondary zones. When you enable Serve, you manage signing the zone and key rotation on your primary nameservers, and ​Akamai​ serves the signed zone.

2. Enable TSIG support on the zone.

3. Set up zone transfer using ​Akamai Control Center​.

4. Update the zone file information on your name servers.

5. Ensure that the zone file has correctly propagated on your name servers.

6. Provide your registrar with the DNS key record available from ​Akamai Control Center​.

Enable DNSSEC for a new zone

Use ​Akamai Control Center​ to enable DNSSEC. The steps you need to complete depend on the DNSSEC option you're using.

If you currently sign your zones and would like to use DNSSEC Sign and Serve, continuous signing is not supported. Before you configure the zone on ​Akamai Control Center​, you must:

• Remove the existing delegation signer (DS) record.
• Wait out the TTL for the DS record.

Then continue with the next instructions for the type of DNSSEC you want to configure.

Enable Sign and Serve for a new zone

1. Log in to ​Control Center​.

2. Go to ☰ > DNS SOLUTIONS > Edge DNS. The Zone list page opens.

3. Click Add zone.

4. From the Zone type menu, select a zone type: Primary or Secondary.

5. In the Zone names field, enter zones names. For example, customer.example.com or customer.example.net.

6. Select the DNSSEC Sign and Serve checkbox. Then, from the DNSSEC algorithm menu, select an algorithm.

   📘

   The currently recommended algorithm is ECDSA-P256-SHA256. If you want to avoid using ECDSA, select RSA SHA-256.

7. For secondary zones:

   1. In the Customer master name servers field, enter the IP addresses of your master name servers.

   2. From the TSIG key menu, select a TSIG key or create a new one.

8. Click Create zone.

Enable Serve for a new secondary zone

1. Log in to ​Control Center​.

2. Go to ☰ > DNS SOLUTIONS > Edge DNS. The Zone list page opens.

3. Click Add zone.

4. For the Zone type, select Secondary .

5. In the Zone names field, enter zone names. For example, customer.example.com or customer.example.net.

6. Do not select the DNSSEC Sign and Serve checkbox.

🚧

Warning

Selecting this checkbox and submitting the zone would generate a new ZSK and KSK for the zone.

6. In the Customer master name servers field, enter the IP addresses of your master name servers.

7. From the TSIG key menu, select a TSIG key or create a new one.

8. Click Create zone.

Enable DNSSEC for an existing zone

Use ​Akamai Control Center​ to enable DNSSEC. The steps you need to complete depend on the DNSSEC option you're using.

If you currently sign your zones and would like to use the Sign and Serve option, continuous signing is not supported. Before configuring the zone on ​Akamai Control Center​, you must:

• Remove the existing delegation signer (DS) record.
• Wait out the TTL for the DS record.

Then continue with the next instructions for the type of DNSSEC you're configuring.

Enable Sign and Serve for an existing zone

1. Log in to ​Control Center​.

2. Go to ☰ > DNS SOLUTIONS > Edge DNS. The Zone list page opens.

3. On the Zone list page, click the name of the zone you'd like to edit.

4. On the Edit zone page, expand the Zone settings section.

5. Select the DNSSEC Sign and Serve checkbox. Then, from the DNSSEC algorithm menu, select an algorithm.

   The currently recommended algorithm is ECDSA-P256-SHA256. If you want to avoid using ECDSA, select RSA SHA-256.

6. For secondary zones, from the TSIG key menu, select a TSIG key or create a new one.

7. Click Add to change list.

📘

You must review and submit the change list before any changes propagate.

Enable Serve for an existing secondary zone

1. Log in to ​Control Center​.

2. Go to ☰ > DNS SOLUTIONS > Edge DNS. The Zone list page opens.

3. On the Zone list page, click the name of the zone you'd like to edit.

4. Expand the Zone settings section.

5. Do not select the DNSSEC Sign and Serve checkbox.

🚧

Warning

Selecting this checkbox and submitting the zone would generate a new ZSK and KSK for the zone.

5. Select a TSIG key or create a new one.

6. Click Add to change list.

📘

You must review and submit the change list before any changes propagate.

Provide information to the zone registrar

You must provide the following zone information to the registrar:

• Authoritative name servers. To retrieve the list, on the Zone list page, click Authoritative name servers.

• Delegation signer (DS) record or DNSKEY record.

  • If you're using DNSSEC Sign and Serve, the DS record is on the DNSSEC Sign and Serve status page.

    From the Zone list page, in the zone's DNSSEC column, click the status icon to open the DNSSEC Sign and Serve status page. This page displays the current DS record and the corresponding DNSKEY record. Government agencies must provide the DNSKEY record to their registrars, who then generate the DS record.

  • If you're using DNSSEC Serve, you already have this information as the signer of the zone and owner of the ZSK and KSK.

📘

According to RFC 4035, the DS record's TTL should match the TTL of the corresponding NS record set.

Disable signing a zone

Follow this procedure to disable signing a zone that is currently being served by Edge DNS.

1. Remove the existing delegation signer (DS) record.

2. Wait out the TTL for the DS record.

3. Log in to ​Control Center​.

4. Go to ☰ > DNS SOLUTIONS > Edge DNS. The Zone list page opens.

5. On the Zone list page, click the name of the zone you'd like to edit.

6. On the Edit zone page, expand the Zone settings section and deselect the DNSSEC Sign and Serve checkbox.

7. Click Add to change list.

8. You must review and submit the change list before any changes propagate.

Disable signing and delete a zone

Follow this procedure to disable signing a zone that is currently being signed and served by Edge DNS, and delete the zone from Edge DNS.

1. Remove the existing DS record.

2. Wait out the TTL for the DS record.

3. Update the relevant name server records in your zone file.

4. Provide your registrar with the names of your new or original name servers.

5. Provide the new DS record to the registrar.

   📘

   Confirm change propagation

   Before continuing with the next step, confirm that the change is completely propagated.

6. Log in to ​Control Center​.

7. Go to ☰ > DNS SOLUTIONS > Edge DNS. The Zone list page opens.

8. On the Zone list page, select the checkbox next to the zone name that you want to delete.

9. Click Delete selected zones.