1 of 20
2 of 20
3 of 20
4 of 20
5 of 20
6 of 20
7 of 20
8 of 20
9 of 20
10 of 20
11 of 20
12 of 20
13 of 20
14 of 20
15 of 20
16 of 20
17 of 20
18 of 20
19 of 20
20 of 20

site

doc

blog

success stories

DNSSEC Compatibility

Azion’s Edge platform is compliant with the DNS Security Extensions (DNSSEC) specification supporting its use in Azion’s accelerated sites and applications. DNSSEC uses digital signatures to provide cryptographic data authentication, authenticated denial of existence, and data integrity. By verifying the signature associated with existing DNS records (A, AAAA, CNAME, PTR, etc.), it is possible to validate that the requested DNS record originates from the authoritative DNS server and that its original content has been preserved, with no changes through the process.

Unlike the cryptographic security provided by HTTPS over HTTP, the confidentiality of responses is not guaranteed by DNSSEC. The data and keys travel in plain text following the specifications of the DNS protocol and are able to be cached, thus preserving the service’s high performance.

For effective use, (a) your domain top-level (TLDs) must support the use of DNSSEC; (b) your zone must be configured with DNSSEC-related resource records, and (c) DNSSEC must be enabled at your domain registrar. That means your DNSSEC must be working.

Hosting a DNSSEC zone with Azion

In case Azion is responsible for publishing the zone with DNSSEC (authoritative DNS) in your contracted services, new records (RRs or Resource Records) will be added to the existing ones and information such as the public key (DS), the algorithm used to generate the key and the DNS servers address will be provided. This way, you can proceed with DNSSEC activation at the competent domain registrar (for example: registro.br), establishing a chain of trust.

Each DNS zone has a public/private key pair. The zone’s private key is used to sign DNS data in the zone and generate digital signatures on that data. The private key is kept secret and the public key is available in the DNS zone itself for anyone to retrieve.

To enable signature verification, DNSSEC requires the administration of new Resource Records (RR), in addition to those already in use:

DNSKEY contains the public key to be used for verification.

DS (Delegation Signer) contains the HASH of a DNSKEY record. The TLD servers use this record to verify the authenticity of the DNSKEY itself

RRSIG contains the digital signature of a record.

NSEC and NSEC3 are used to enable the response of the non-existence of a queried record (authenticated denial of existence), preventing a malicious actor from falsifying a non-existent address response.

General recommendations and considerations

  • Before you contract the service, make sure that the TLD registry supports DNSSEC;
  • It is recommended to reduce the TTLs of the DNS zone to be moved a few days before the scheduled change and to use a TTL of a few minutes on the DNSSEC records (DS and DNSKEY) to enable quick recovery if necessary;
  • To make the new settings effective, it is necessary to wait for a new publication by the TLD manager;
  • The global propagation and visibility of the change depend on updating the cache of third-party managed resolvers, which can take days to be accomplished.

To host a zone with DNSSEC at Azion, please contact our team.


Didn’t find what you were looking for? Open a support ticket.