Knowledgebase: Secondary
Do you support DNSSEC?
Posted by Devon Roberts on 15 May 2015 05:12 PM

DNS Made Easy supports DNSSEC on Secondary DNS, however due to key management, DNSSEC is currently in development on our Managed DNS service. Key management is a crucial component to DNSSEC, so much so that it can cause resolution failures if not properly implemented. Key creation, rotation and verification for Key Signing Keys and Zone Signing Keys must be implemented in such a way as to insure automated transitioning to new keys and to insure valid keys exist on authoritative name servers as well as the TLD name servers. After seeing others in the Managed DNS space fail to properly maintain these processes, we have been very careful in approaching this difficult task.

For now from a liability standpoint, we are leaving it to our clients to maintain key management processes, while still fully supporting all DNSSEC record types through our Secondary DNS service. Key management would have to be maintained on separate external primary name servers and then supported through our Secondary DNS service. Many modern authoritative name server software supports DNSSEC key generation and signing.

So in summary in order for DNSSEC to be implemented through our Secondary DNS servers, at least one master server (preferred to have multiple master servers for redundancy) that runs an authoritative name server software (such as ISC BIND) and has DNSSEC signing and management tools would be required.

(19 vote(s))
Helpful
Not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).