Ben Lin

Configuring DNSSEC in Fast DNS

Blog Post created by Ben Lin Employee on Nov 30, 2017

DNSSEC (DNS Security Extensions) is a set of specifications that are designed to protect applications from using forged or manipulated DNS data by allowing zone administrators to digitally sign zone data using public key cryptography.  Fast DNS is Akamai's Internet scale, authoritative DNS service that is designed to protect against DNS based DDOS attacks and respond to DNS queries quickly.  Fast DNS can also support DNSSEC enabled queries.  This post will show you how to enable DNSSEC for Fast DNS in the Akamai Luna portal.

 

This procedure assumes that you will create a new Fast DNS zone in Luna and that you be using the "SIgn and Serve" method for DNSSEC.  The benefits of using "Sign and Serve" is that you will be offloading the support of DNSSEC to Akamai which uses the existing Key Management Infrastructure (KMI) for the Zone Signing Key (ZSK) and Key Signing Key (KSK).  When using Sign and Serve, Akamai's name servers must be the exclusive authoritative name servers.

 

From the Luna Menu select Configure -> Fast DNS / Configuration.  Then click ADD ZONES which will present this screen:

 

 

The Zone Type is set to Primary which means this configuration will use the Luna portal or Open APIs (https://developer.akamai.com/api/luna/config-dns/overview.html) to create Resource Records.  Alternatively you can set it for Secondary which means that the Resource Records will be created by DNS zone transfers from your Primary DNS Server.  If configuring DNSSEC in Secondary mode then TSIG will need to be enabled to secure the zone transfers.

 

Click the check box for "Sign and Serve DNSSEC" to enable this functionality.

 

DNSSEC Algorithm will present three options:

1. RSA-SHA1 - (7).  This is not recommended as it is no longer considered secure.

2. RSA-SHA256 - (8).  This is the recommended algorithm.

3. RSA-SHA512 - (10)

 

This configuration is set using RSA-SHA256 - (8).  Please note that once the algorithm is configured, changing it is not self-servicable and requires Akamai to make the change.

 

Enter the zones to be configured in the Zones: box.

 

Click Submit.

 

The next screen will show you the DS record associated with your zone and the DNSSEC specific alerts that can be enabled.  It will take 30-60 minutes for the KMI to generate the keys.

 

 

 

The DNSSEC alerts are:

  • Authorities for Zone do not point to Akamai: This alert notifies you when the NS records handed out by the parent zone's authoritative servers do not point o Akamai DNS nameservers.
  • Authorities incompatible with Sign&Serve DNSSEC: This alert notifies you when some of the NS records handed out by the parent zone's authoritative servers do not point to Akamai DNS nameservers.
  • No DS record in parent zone: This alert notifies you when there is no DS record handed out by the parent zone.
  • DS record points to wrong DNSKEY record: This alert notifies you when the DS record handed out by the parent zone does not point to the correct DNSKEY record for the zone.  DNS resolvers with DNSSEC validation enabled could fail to resolve names in the zone, resulting in denial of service.
  • DS record points to old DNSKEY record: This alert notifies you when a key signing key (KSK) rotation is in progress for the zone, and the DS record handed out by the parent zone points to the old DNSKEY record.

 

 

 

You can validate that DNSSEC is working by doing a dig:

 

dig @{one of the assigned name servers} {a record in the zone} +dnssec

 

The name servers assigned to your account can be found on bottom of the Fast DNS configuration home screen:

 

 

 

The next step is to configure the DNSSEC attributes with your Registrar.  In this example I'll illustrate how to do this with GoDaddy.  

 

After logging into GoDaddy select the domain you want to set up and then select Manage DNS.  Under Advanced Features select DNSSEC.

 

 

Then select ADD.

 

 

The following screen will need data generated for the DS record which can be found in Luna (see above):

 

 

Click Update.

 

It will take some time for the Registrar to update the registry.  Once this is done you can test for the existence of the DS record at the Registrar:

 

dig @{one of the top-level name servers for the respective gTLD}{a record in the zone} +dnssec

Outcomes