Improving Delegation Changes in Secondary DNS and DNSSEC
The team at DNSimple recently spent time improving delegation handling for both secondary DNS and DNSSEC. We'll talk a bit more about why this is important, how it works, and the history behind this enhancement.
Why is delegation handling important?
Delegation of domains from one set of name servers to another must be done correctly to minimize the chance for downtime on your domain. Some TLD registries have strict checking that won't allow delegation changes to occur unless the zone is configured properly across all name servers.
How does it work?
While you may not see much of a difference in how secondary DNS and DNSSEC work in our web app, we've made a number of behind-the-scenes enhancements.
The key improvements:
- Delegation changes are now asynchronous during secondary DNS and DNSSEC configuration.
- We perform automated verification of DNS settings across all name servers before submitting changes to the TLD registry.
In your domain's control panel, when configuring secondary DNS, this change will be displayed with a warning message and icon next to each name server that has not passed validation:
Once all name servers are successfully verified, meaning your zone's records have been copied into the secondary name servers, the warning message will disappear, and checkboxes will appear next to the secondary name servers:
How did we get here?
Each TLD registry can choose how strict they want to be before allowing a delegation change on a domain. Some registries allow you to make changes that will technically result in your domain partially functioning. Others are more strict, and try to consciously avoid mistakes during a delegation change.
We decided to use DENIC, the .DE TLD registry, as our gold standard for this enhancement. DENIC is fairly strict with delegation changes. They require all name servers to respond properly for your domain before allowing the delegation to change. They also require zones to be signed before allowing a DS record change for the purposes of activating or altering DNSSEC signing.
This change has allowed us to open up DNSSEC support for .DE domains, and secondary DNS delegation in .DE domains now functions as expected. Your changes will be validated in a similar manner for any TLD, giving you even more confidence that your domain will be delegated correctly.
Ready to experience expert-level security for yourself? Trust DNSimple with your domains — give us a try free for 30 days.
I break things so Simone continues to have plenty to do. I occasionally have useful ideas, like building a domain and DNS provider that doesn't suck.
We think domain management should be easy.
That's why we continue building DNSimple.
How We Work as a Remote Team
Inspired by a recent blog post from Travis CI, I'd like to share details about how DNSimple team members work together without offices.
Announcing DNSSEC General Availability
DNSimple is moving our DNSSEC out of beta and into general availability.