DNSSEC Configuration
DNSSEC (DNS Security Extensions) protects against cache poisoning and provides authentication for DNS responses. This guide covers enabling, configuring, and verifying DNSSEC.
What is DNSSEC?
DNSSEC adds cryptographic signatures to DNS records, providing:
- Authentication - Verify DNS responses come from authoritative source
- Integrity - Detect if DNS data has been modified in transit
- Protection - Prevent cache poisoning and man-in-the-middle attacks
info
DNSSEC does not provide confidentiality (encryption). It only ensures authenticity and integrity.
Enabling DNSSEC
For New Zones
DNSSEC is enabled by default when creating zones:
curl -X POST https://api.wayscloud.services/v1/dns/zones \
-H "Authorization: Bearer wayscloud_dns_prod_YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"domain": "example.com",
"dnssec_enabled": true,
"default_ttl": 3600
}'
For Existing Zones
Enable DNSSEC on an existing zone:
curl -X POST https://api.wayscloud.services/v1/dns/zones/zone_abc123/dnssec \
-H "Authorization: Bearer wayscloud_dns_prod_YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"enabled": true
}'
Response:
{
"zone_id": "zone_abc123",
"dnssec_enabled": true,
"ds_records": [
{
"key_tag": 12345,
"algorithm": 13,
"digest_type": 2,
"digest": "abc123def456789..."
}
],
"dnskey_records": [
{
"flags": 257,
"protocol": 3,
"algorithm": 13,
"public_key": "AwEAAb2..."
}
]
}
DS Records
After enabling DNSSEC, you must add DS (Delegation Signer) records to your domain registrar.
Getting DS Records
Retrieve DS records for your zone:
curl -X GET https://api.wayscloud.services/v1/dns/zones/zone_abc123/dnssec \
-H "Authorization: Bearer wayscloud_dns_prod_YOUR_API_KEY"
Response:
{
"zone_id": "zone_abc123",
"domain": "example.com",
"dnssec_enabled": true,
"ds_records": [
{
"key_tag": 12345,
"algorithm": 13,
"digest_type": 2,
"digest": "abc123def456789abcdef..."
}
]
}
Adding DS Records to Registrar
- Log in to your domain registrar (e.g., Namecheap, GoDaddy, Gandi)
- Find DNSSEC settings (usually under DNS or Advanced settings)
- Add DS record with these values:
- Key Tag:
12345 - Algorithm:
13(ECDSA Curve P-256 with SHA-256) - Digest Type:
2(SHA-256) - Digest:
abc123def456...(copy full value)
- Key Tag:
Common Registrars
Namecheap:
- Domain List → Manage → Advanced DNS
- DNSSEC tab → Add DS Record
- Enter DS record values
GoDaddy:
- My Products → Domains → Manage DNS
- Additional Settings → Manage DNSSEC
- Add DS Record
Gandi:
- Domain → DNSSEC → Add Key
- Select "DS Record"
- Enter values
Cloudflare Registrar:
- Domain → Configuration → DNSSEC
- Add DS Record
- Enter values
DNSSEC Algorithms
WAYSCloud uses modern, secure algorithms:
| Algorithm Number | Name | Description |
|---|---|---|
| 13 | ECDSA Curve P-256 with SHA-256 | Recommended (default) |
| 14 | ECDSA Curve P-384 with SHA-384 | High security |
Digest Types:
| Type | Name | Description |
|---|---|---|
| 2 | SHA-256 | Recommended (default) |
| 4 | SHA-384 | High security |
Key Rotation
WAYSCloud automatically rotates DNSSEC keys:
- ZSK (Zone Signing Key): Rotated every 90 days
- KSK (Key Signing Key): Rotated every 365 days
Monitoring Key Rotation
Before KSK rotation, you'll receive notifications to update DS records at your registrar:
- 30 days before: Email notification with new DS records
- 14 days before: Reminder email
- 7 days before: Final reminder
- Rotation day: New keys activated
Important
Update DS records at your registrar within 7 days of receiving the new DS records to avoid DNSSEC validation failures.
Verifying DNSSEC
Using dig
Check DNSSEC status:
# Check if DNSSEC is enabled
dig +dnssec example.com @grieg.wayscloud.no
# Verify DNSSEC validation
dig +dnssec +multi example.com
# Check DS records
dig +short DS example.com
Expected Output:
; <<>> DiG 9.10.6 <<>> +dnssec example.com
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;example.com. IN A
;; ANSWER SECTION:
example.com. 3600 IN A 192.0.2.1
example.com. 3600 IN RRSIG A 13 2 3600 ...
;; Query time: 45 msec
Look for:
adflag (Authenticated Data) in flagsRRSIGrecords in ANSWER section- No
SERVFAILstatus
Using Online Tools
Verisign DNSSEC Debugger:
https://dnssec-debugger.verisignlabs.com/example.com
DNSViz:
https://dnsviz.net/d/example.com/dnssec/
DNSSEC Analyzer:
https://dnssec-analyzer.verisignlabs.com/example.com
Using Python
import dns.resolver
import dns.dnssec
def verify_dnssec(domain):
"""Verify DNSSEC for a domain"""
try:
# Query with DNSSEC validation
resolver = dns.resolver.Resolver()
resolver.use_edns(0, dns.flags.DO, 4096)
# Get DNSKEY records
dnskey_answer = resolver.resolve(domain, 'DNSKEY')
# Get DS records from parent
ds_answer = resolver.resolve(domain, 'DS')
print(f"DNSSEC is enabled for {domain}")
print(f"DS Records: {len(ds_answer)}")
print(f"DNSKEY Records: {len(dnskey_answer)}")
return True
except dns.resolver.NoAnswer:
print(f"DNSSEC not enabled for {domain}")
return False
except Exception as e:
print(f"Error checking DNSSEC: {e}")
return False
# Usage
verify_dnssec('example.com')
Disabling DNSSEC
Warning
Disabling DNSSEC can make your domain vulnerable to DNS attacks. Only disable if absolutely necessary.
curl -X POST https://api.wayscloud.services/v1/dns/zones/zone_abc123/dnssec \
-H "Authorization: Bearer wayscloud_dns_prod_YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"enabled": false
}'
Important: After disabling DNSSEC:
- Remove DS records from your registrar immediately
- Wait 48 hours for changes to propagate
- Failure to remove DS records will cause DNS resolution failures
Troubleshooting
SERVFAIL Errors
Symptom: DNS queries return SERVFAIL status
Causes:
- DS records not added to registrar
- Incorrect DS records at registrar
- DS records not yet propagated
Solution:
- Verify DS records at registrar match API response
- Wait up to 48 hours for propagation
- Check using
dig +dnssec example.com
Validation Failures
Symptom: DNSSEC validation fails
Causes:
- Old DS records after key rotation
- Clock skew on resolver
- Incorrect DNSSEC configuration
Solution:
- Update DS records at registrar
- Clear DNS cache:
sudo systemd-resolve --flush-caches - Test with multiple resolvers (Google DNS, Cloudflare DNS)
No RRSIG Records
Symptom: No RRSIG records in DNS responses
Causes:
- DNSSEC not enabled on zone
- DNSSEC still propagating (wait up to 1 hour)
Solution:
- Verify DNSSEC is enabled:
GET /v1/dns/zones/{zone_id}/dnssec - Wait 1 hour for DNSSEC to propagate
- Query directly from WAYSCloud nameservers
Best Practices
1. Monitor DS Record Expiration
Set up monitoring for DS record rotation notifications:
def check_ds_records_expiration():
"""Check if DS records need updating"""
zone = api.get_zone_dnssec('zone_abc123')
for ds in zone['ds_records']:
# Check if key_tag changed (indicates rotation)
if ds['key_tag'] != current_key_tag:
alert_team("DS records need updating at registrar")
2. Test Before Enabling
Test DNSSEC on a non-critical domain first:
- Enable DNSSEC on test domain
- Add DS records to registrar
- Verify with DNSSEC tools
- Monitor for 7 days
- Roll out to production domains
3. Automate DS Record Updates
For registrars with APIs, automate DS record updates:
def update_ds_records_at_registrar(domain, ds_records):
"""Update DS records at registrar via API"""
# Get current DS records from WAYSCloud
zone = api.get_zone_dnssec(zone_id)
# Update at registrar (example for supported registrars)
registrar_api.update_ds_records(
domain=domain,
ds_records=zone['ds_records']
)
4. Regular Validation
Regularly validate DNSSEC:
#!/bin/bash
# dnssec-check.sh
DOMAIN="example.com"
# Check DNSSEC status
if dig +short DS $DOMAIN | grep -q .; then
echo "✓ DS records present"
else
echo "✗ DS records missing"
exit 1
fi
# Verify signatures
if dig +dnssec $DOMAIN | grep -q RRSIG; then
echo "✓ DNSSEC signatures present"
else
echo "✗ DNSSEC signatures missing"
exit 1
fi
echo "✓ DNSSEC validation passed"
Next Steps
- Zone Management - Manage DNSSEC-enabled zones
- Advanced Use Cases - DNSSEC in production
- Troubleshooting - Common DNSSEC issues