Features

Announcing DNSSEC General Availability

Guillermo Gutiérrez's profile picture Guillermo Gutiérrez on

In 2017, DNSimple announced our beta launch of DNSSEC (Domain Name System Security Extensions). Today, we're excited to announce we're moving out of beta and into general availability.

We've spent the last five years building to this launch. Over that time, we've tested and verified DNSSEC with different domain names. It's been a long process, and we've slowly made improvements along the way. After four years of work, we're confident that we're ready to launch for general availability. And all the testing we've done over the years means you can be confident, too.

What does DNSSEC do?

DNS (Domain Name System) isn't secure on its own. Source IP addresses of DNS response packets can easily be forged or spoofed. Attackers can use that falsified information to re-route users to malicious sites. That's where DNSSEC comes in.

DNSSEC provides a way to cryptographically build a chain of trust from the root name servers to authoritative name servers. Authenticating resolvers may verify this chain of trust to ensure the DNS results weren't tampered with while in transit.

What are the benefits of DNSSEC?

DNSSEC adds trust to the DNS resolution chain and reinforces the claim about authoritative DNS resolution. It also improves Internet security by making it harder to perform attacks based on DNS forgery.

Hosting platforms that create subdomains for their customers (e.g. Clickfunnels) can benefit by adding DNSSEC to their zones to protect their customers' identities.

DNSSEC is also valuable for personal domains/subdomains. You can benefit from using DNSSEC to verify your "digital identity" by adding signatures to your domains and subdomains – much like what you'd do by adding PGP/GPG (Pretty Good Privacy/GNU Privacy Guard) signatures to your emails.

Why should I use DNSimple for DNSSEC?

DNSimple offers one of the best DNSSEC services around. Some TLDs (Top Level Domains) make users sign their zones manually, which requires highly technical skills. And key rotation can be complicated. We provide expert-level service to ensure your DNSSEC is taken care of correctly, so you know your DNS is as secure as possible.

Let's look at some examples for the different ways DNSimple supports DNSSEC:

Case 1: A domain is registered with DNSimple. We're providing DNS resolution.

This is a hassle-free, zero-downtime-guaranteed DNSSEC setup. We take care of everything:

  • We create the KSK (Key-Signing Key) and ZSK (Zone-Signing Key) and set up a key rotation schedule.
  • We create DNSKEY records on the signed zone.
  • We create CDS (Child DNS) and CDNSKEY (Child DNSKEY) records to signal parent zones about the DNSSEC status on the zone.
  • We will create DS records and provision them on the parent TLD.

Case 2: A domain is registered with DNSimple. A third-party DNS service is providing DNS resolution.

A third party is signing the zones for the user:

  • The third party service signing the zones generates DS records and provides them to the user.
  • The user can manage the DS records provisioned in the parent TLD through the DS management page.

Case 3: A domain is hosted with DNSimple.

A third-party registrar needs to receive the DS records we create while signing the user's zones:

  • We create the KSK and ZSK and set up a key rotation schedule.
  • We create DNSKEY records on the signed zone.
  • We create CDS and CDNSKEY records to signal parent zones about the DNSSEC status on the zone. We do this in case third-party registrars support using these records to automatically provision and retire DS records for their customers.
  • We create DS records and provide them to users, so they can send them to their respective registrars when they don't support CDS/CDNSKEY records.

Zone signing is available for all domains, regardless of their registration status. DS record management is only available for registered domains.

For more on how DNSimple handles DNSSEC, take a look at our support article, or drop us a line if you have more questions - we'd love to help.

Simple, secure DNS management

We're strong supporters of security and privacy on the Web, which is why DNSSEC is included in all DNSimple Subscriptions. It's also why we spent the last four years making sure DNSSEC was fully viable for general availability.

Our commitment to security means you know your domains are safe with us. If you're ready for simple, secure DNS management, coupled with expert-level support, and a robust API, we're ready for you. You can explore our plans, or get in touch if you'd like to talk more about your needs. Want to get started now? Give us a try free for 30 days.

Share on Twitter and Facebook

Guillermo Gutiérrez's profile picture

Guillermo Gutiérrez

Father, husband, software developer, amateur cook and baker, coffee enthusiast, maker aficionado, and Oxford comma fan.

We think domain management should be easy.
That's why we continue building DNSimple.

Try us free for 30 days
4.5 stars

4.3 out of 5 stars.

Based on Trustpilot.com and G2.com reviews.