Lessons learned from buying, connecting, and operating domains
Free Trial
Features

DNSSEC Beta Launch

Anthony Eden's profile picture Anthony Eden on

DNSSEC at DNSimple is finally in beta! After quite a long period of development, we are now able to sign zones served through the DNSimple authoritative DNS network.

December 2021 Update

DNSSEC is out of Beta and available on all DNSimple's API clients. Take a look at this post for the full list.

What is DNSSEC?

DNSSEC provides a way to cryptographically build a chain of trust from the root name servers all the way through to authoritative name servers. Authenticating resolvers may then verify this chain of trust to ensure the DNS results were not tampered with while in transit.

Signing a zone

Signing a zone managed with DNSimple is easy. First, login to your DNSimple account and go to a domain's management page. From there, click on the DNSSEC tab in the left menu.

DNSSEC tab

Next, click on the "Configure DNSSEC" link.

Configure DNSSEC

Finally, click on the "Enable DNSSEC" button.

Enable DNSSEC

If your domain is registered with DNSimple then we will automatically send the DS record to enable authenticated delegation for your domain at the registry.

If your domain is registered at another registrar then you will need to update the DS record yourself.

DNSSEC DS record

Automatic Key Rotation

DNSSEC keys generated at DNSimple are rotated on a 90-day basis. If your domain is registered and resolving with DNSimple then we will handle all key rotation automatically.

If your domain is registered with another registrar, then you will need to update your DS record at your registrar whenever a new key is generated.

Warning: please consider carefully whether you are able and willing to rotate DS records at your registrar if your domain is not registered with DNSimple. It is essential that DS records are updated whenever DNSSEC keys are rotated in your DNSimple zone. If you do not update your DS record when your keys change, then your domain will fail to resolve through resolvers that verify DNSSEC keys, including Google's Public DNS. This will result in failed DNS resolution for your domains.

Disabling DNSSEC

If at any point you need to disable DNSSEC you can also do that through the new DNSSEC interface. Disabling DNSSEC will remove the DS record at the registry when your domains are registered with DNSimple, as well as the keys from your zone.

Notes

Custom record types such as the ALIAS record, URL record, and POOL record, will all be correctly signed when a zone is signed.

Currently we only support signed zones in our name servers. We do not yet support sending signed zones to secondary DNS providers.

Conclusion

DNSSEC has been around for quite a long time, but recently its traction has increased significantly. We're happy to be able to roll out DNSSEC support today and join other DNS providers in this step towards a more trustworthy world of DNS. Check out our guide about DNSSEC for more information.

If you have any questions, get in touch – we're always happy to help. Not using DNSimple yet? Give us a try free for 30 days, and explore everything our automated DNS management has to offer.

Share on Twitter and Facebook

Anthony Eden's profile picture

Anthony Eden

I break things so Simone continues to have plenty to do. I occasionally have useful ideas, like building a domain and DNS provider that doesn't suck.

Try out DNSimple free for 30 days
DNSimple logo

We provide worry-free DNS services to simplify your life.

Try us free for 30 days