DNSSEC at DNSimple is finally in beta! After quite a long period of development, we are now able to sign zones served through the DNSimple authoritative DNS network.

What is DNSSEC?

DNSSEC provides a way to cryptographically build a chain of trust from the root name servers all the way through to authoritative name servers. Authenticating resolvers may then verify this chain of trust to ensure the DNS results were not tampered with while in transit.

Signing a zone

Signing a zone managed with DNSimple is easy. First, login to your DNSimple account and go to a domain's management page. From there, click on the DNSSEC tab in the left menu.

DNSSEC tab

Next, click on the "Configure DNSSEC" link.

Configure DNSSEC

Finally, click on the "Enable DNSSEC" button.

Enable DNSSEC

If your domain is registered with DNSimple then we will automatically send the DS record to enable authenticated delegation for your domain at the registry.

If your domain is registered at another registrar then you will need to update the DS record yourself.

DNSSEC DS record

Automatic Key Rotation

DNSSEC keys generated at DNSimple are rotated on a 90-day basis. If your domain is registered and resolving with DNSimple then we will handle all key rotation automatically.

If your domain is registered with another registrar, then you will need to update your DS record at your registrar whenever a new key is generated.

Warning: please consider carefully whether you are able and willing to rotate DS records at your registrar if your domain is not registered with DNSimple. It is essential that DS records are updated whenever DNSSEC keys are rotated in your DNSimple zone. If you do not update your DS record when your keys change, then your domain will fail to resolve through resolvers that verify DNSSEC keys, including Google's Public DNS. This will result in failed DNS resolution for your domains.

Disabling DNSSEC

If at any point you need to disable DNSSEC you can also do that through the new DNSSEC interface. Disabling DNSSEC will remove the DS record at the registry when your domains are registered with DNSimple, as well as the keys from your zone.

Notes

Custom record types such as the ALIAS record, URL record, and POOL record, will all be correctly signed when a zone is signed.

Currently we only support signed zones in our name servers. We do not yet support sending signed zones to secondary DNS providers.

Conclusion

DNSSEC has been around for quite a long time, but recently its traction has increased significantly. We're happy to be able to roll out DNSSEC beta support today and join other DNS providers in this step towards a more trustworthy world of DNS.