Improving Delegation Changes in Secondary DNS and DNSSEC

The team at DNSimple recently spent time improving delegation handling for both secondary DNS and DNSSEC. We'll talk a bit more about why this is important, how it works, and the history behind this enhancement.

Why is delegation handling important?

Delegation of domains from one set of name servers to another must be done correctly to minimize the chance for downtime on your domain. Some TLD registries have strict checking that won't allow delegation changes to occur unless the zone is configured properly across all name servers.

How does it work?

While you may not see much of a difference in how secondary DNS and DNSSEC work in our web app, we've made a number of behind-the-scenes enhancements.

The key improvements:

• Delegation changes are now asynchronous during secondary DNS and DNSSEC configuration.
• We perform automated verification of DNS settings across all name servers before submitting changes to the TLD registry.

In your domain's control panel, when configuring secondary DNS, this change will be displayed with a warning message and icon next to each name server that has not passed validation:

Once all name servers are successfully verified, meaning your zone's records have been copied into the secondary name servers, the warning message will disappear, and checkboxes will appear next to the secondary name servers:

How did we get here?

Each TLD registry can choose how strict they want to be before allowing a delegation change on a domain. Some registries allow you to make changes that will technically result in your domain partially functioning. Others are more strict, and try to consciously avoid mistakes during a delegation change.

We decided to use DENIC, the .DE TLD registry, as our gold standard for this enhancement. DENIC is fairly strict with delegation changes. They require all name servers to respond properly for your domain before allowing the delegation to change. They also require zones to be signed before allowing a DS record change for the purposes of activating or altering DNSSEC signing.

This change has allowed us to open up DNSSEC support for .DE domains, and secondary DNS delegation in .DE domains now functions as expected. Your changes will be validated in a similar manner for any TLD, giving you even more confidence that your domain will be delegated correctly.

Have more questions or want to learn more? We're always happy to help. Take a look at our secondary DNS support article, DNSSEC support article, or drop us a line.

Ready to experience expert-level security for yourself? Trust DNSimple with your domains — give us a try free for 30 days.

Share on Twitter and Facebook

Anthony Eden

I break things so Simone continues to have plenty to do. I occasionally have useful ideas, like building a domain and DNS provider that doesn't suck.