You can set up multi-signer DNSSEC for your Edge DNS zones. Multi-signer DNSSEC allows you to strengthen your DNSSEC chain of trust and use DNSSEC within a multi-provider environment. With this feature, multiple DNS providers can host and sign a zone with their set of DNSSEC keys. Each provider must serve a DNSKEY set. This set of keys contains the public zone signing key (ZSK) and the provider’s public key signing keys (KSKs).

To allow resolvers to validate DNS responses from either provider, the DNSKEY set that each provider serves must contain the public portions of all ZSKs for the zone, as well as the public portion of the provider's own KSKs.

Edge DNS collects these keys and publishes a combined DNSKEY set. As part of a multi-signer setup, you add other provider DNSKEYs by creating an EXTERNDNSKEY record. EXTERNDNSKEY is an ​Akamai​ DNS record type that is the same format as a DNSKEY. You can submit your keys in Control Center or with the Edge DNS API.

Through a webhook configuration, you also have the option to let ​Akamai​ notify your organization when new keys are available. You can then fetch and share updated DNSKEYs with other DNS providers in your multi-signer environment.

Note the following:

• You must add the EXTERNDNSKEY record set at the apex of a zone.
• Algorithm 13 is the only supported algorithm for this feature.
• EXTERNDNSKEYs only support external DNSKEYs. You cannot use this record set for ​Akamai​ DNSKEYs.
• If you set up multi-signer DNSSEC and you need to disable the feature, you must first remove the EXTERNDNSKEYs.

Currently, this feature has these limitations:

• There is no support for CDS/CDNSKEY record sharing.
• Zones cannot already be signed by another provider before setting up this feature.

Set up multi-signer DNSSEC

The following procedure provides the high-level steps that are required to set up multi-signer DNSSEC.

Before you begin:

If you haven’t done so already, make sure you set up the Edge DNS API. To learn more, see Get started.

To set up DNSSEC for multiple providers:

1. Enable sign and serve for your zone. Do one of the following:

   • To use Control Center to enable sign and serve for a zone, see Enable sign and server for a new zone and Enable sign and serve for a secondary zone.
   • To use the Edge DNS API to enable sign and serve for a zone, run signANDserve to set signANDserve = true. Also, set the signAndServeAlgorithm. Depending on whether you’re creating or updating a zone, see Create a zone or Update a zone’s settings.

2. Set multiProviderDnssec.enabled in the Edge DNS API to multiProviderDnssec.enabled = true. Depending on whether you’re creating or updating a zone, see Create a zone or Update a zone’s settings.

3. Add the DNSKEYs of your provider. To do this, you must add an EXTERNDNSKEY DNS record. Do one of the following:

   • To use Control Center to add the EXTERNDNSKEY record, see Add an EXTERNDNSKEY DNS record set.

   • To use the Edge DNS API to add the EXTERNDNSKEY record, see Modify record sets in a change list. Do the following:

     i. Run POST /config-dns/v2/zones/{zone}/changeLists/{changeListId}/recordSets

     See this example:

     {
       "name": "example.com",
       "type": "EXTERNDNSKEY",
       "ttl": 7200,
       "rdata": ["..."]
     }
     

     ii. Run POST /config-dns/v2/zones/{zone}/changeLists/{changeListId}/submit

4. Get and share ​Akamai​ DNSKEYs with your provider or providers. For instructions, see Get and share ​Akamai​ DNSKEYs.

5. (Optional) Set up a web server that can handle webhook notification requests. The webhook notifies you when new DNSKEYs are available. To review an example of this configuration, see Webhook example: Create a web server that handles webhook notification requests.

Add an EXTERNDNSKEY record set

Complete this procedure to upload external DNSKEYs for your providers. To perform this operation with the Edge DNS API, see Create a record set.

To add an EXTERNDNSKEY record set:

1. In Control Center, go to ☰ > DNS SOLUTIONS > Edge DNS.
2. Click the name of the primary or secondary zone.
3. In the Zone record sets section, click Add new record set. A dialog appears.
4. In the Add new record set dialog, do the following:
   1. Enter a name for the record set.
   2. In the Type menu, select EXTERNDNSKEY.
   3. In the TTL menu, enter the TTL value in seconds or use the arrows to adjust the value.
   4. In the Record data field, enter the public DNS key that is associated with your provider.
   5. Click Add to change list.

Next steps:

1. Review and submit this change to the change list. For instructions, see Review and submit the change list.
2. Get and share ​Akamai​ DNSKEYs with your provider or providers. For instructions, see Get and share ​Akamai​ DNSKEYs.
3. (Optional) Set up a web server that can handle webhook notification requests. The webhook notifies you when new DNSKEYs are available. To review an example of this web server configuration, see Webhook example: Create a web server that handles webhook notification requests.

Get and share ​Akamai​ DNSKEYs

You can find the ​Akamai​ DNSKEYs in Control Center or you can get them with the Edge DNS API.

To get and share ​Akamai​ DNSKEYs:

1. To find the ​Akamai​ DNSKEYs in Control Center
   1. In Control Center, go to ☰ > DNS SOLUTIONS > Edge DNS.
   2. Go to the zone that has DNSSEC enabled.
   3. From the Actions menu, select View DNSSEC detail. A dialog appears with DNSSEC record information.
   4. Copy the record information.
2. To get the ​Akamai​ DNSKEYs with the Edge DNS API:
   Run GET /config-dns/v2/zones/example.com/dnskeys
   This operation returns DNSKEYs for ZSKs. For more information, see Get a zone’s DNSSEC DNSKEY records.

Next steps:

• Share the records with your provider or provIders.
• (Optional) Set up a web server that can handle webhook notification requests. The webhook notifies you when new DNSKEYs are available. To review an example of this web server configuration, see Webhook example: Create a web server that handles webhook notification requests.

Webhook example: Create a web server that handles webhook notification requests

This procedure and the provided code is an example of how you can create a web server that handles webhook notification requests. As part of this setup, you configure a URL to call for the webhook request. This URL is an existing web server or a new web server that you’ve created. In this example, a Linode is configured as a web server in ​Akamai​ Cloud. This example also uses the webhook code that is available on GitHub.

To create a DNSSEC webhook in ​Akamai​ Cloud:

1. Log in to Akamai Cloud.
2. Click Create Linode.
3. Click the Marketplace tab.
4. In the Select an App field, search for the Flask app, and select it when it appears in the list.
5. Complete the fields for the Flask setup. No changes are necessary for the Advanced Options and can be left as is.
6. Select a Linode plan that best suits your needs. If you’re using the Linode for this webhook only, the Nanode 1 GB plan is sufficient. For more information on Linode plans, see Choose a Linode plan.
7. Click Create Linode.
8. Wait for the status of the Linode to change from PROVISIONING to BOOTING to RUNNING.
9. Wait 5-10 minutes for the Linode configuration. You can launch the Lish console to monitor the progress. The console indicates when the configuration is completed and a login prompt appears.
10. Log in to the console using the Lish console or SSH. If an SSH key was configured, it can be used to log in as the root user or a non-root user.
11. Clone this repository on GitHub:
    git clone https://github.com/akamai/multi-signer-dnssec-webhook
12. As a non-root user, run /var/www/[hostname]/venv/bin/pip install edgegrid-python dnspython requests to install other tools and dependencies that the webhook uses.
13. Create a text file that contains the list of zones the webhook is expected to handle: /var/www/[hostname]/configured_zones.txt
    Make sure each zone is listed in a separate line of the text file.
14. In the non-root user's home directory, create an .edgerc file with the portal credentials in the default section.
15. Restart the Flask gunicorn service. Run service gunicorn restart
16. Configure the webhook for multiProviderDnssec in the Edge DNS API. See Update a zone’s settings.
    The webhook URL you provide may look like the following:
    
    https://a-b-c-d.ip.linodeusercontent.com/akamai_webhook
    
    where a-b-c-d is the IP address (a.b.c.d) of your Linode. Make sure you replace the periods in the IP address with dashes.
17. (Optional) Create a daily cron job in /etc/cron.daily in case the webhook is down and misses a notification. Use this command for the daily cron job:
    cd /var/www/[hostname] && sudo -u [non-root user] venv/bin/python app.py
    where:
    • [hostname] is the Linode hostname.
    • [non-root user] is the username of the non-root user.

📘

To work with other providers, the perform_update() function in app.py needs to be updated to get the external DNSKEYs from other DNSSEC providers and to set the keys across all providers.

18. To find logs on the webhook, run grep gunicorn /var/log/syslog

Disable multi-signer DNSSEC

Before you can disable multi-signer DNSSEC, you need to remove the EXTERNDNSKEY record that you added. After this operation is complete, you can disable multi-signer DNSSEC with the Edge DNS API.

Remove an EXTERNDNSKEY record set

If you need to disable mutli-signer DNSSEC, you must first remove the EXTERNDNSKEY record or records that you created. The following procedure describes how to remove the record in Control Center. To perform this operation in the Edge DNS API, see Modify record sets in a change list.

To remove an EXTERNDNSKEY record:

1. In Control Center, go to ☰ > DNS SOLUTIONS > Edge DNS.
2. Click the name of the primary or secondary zone that has the EXTERNDNSKEY you want to remove.
3. In the Zone record sets section, go to the EXTERNDNSKEY. If necessary, search for the key.
4. From the Actions menu, select Delete. A confirmation window appears.
5. Click Yes.

Next steps:

1. Review and submit this update to the change list. For instructions, see Review and submit the change list.
2. Disable multi-signer DNSSEC. Set multiProviderDnssec.enabled in the Edge DNS API to false. For more information, see Update a zone's settings.