DNSSEC Management
What Is DNSSEC?
DNSSEC provides a system that assigns an electronic signature to DNS record information to validate that the information has not been tampered with. Because this service supports DNSSEC, you can automatically perform all tasks, except for DS Record Update and KSK Rollover, that are required for DNSSEC operations.
[Reference]
[ Reference ]
If you use the Domain Management Service, DS records are also updated automatically. You do not have to take care of any operations manually.
If you use a different company’s service for domain management, you will need to register DS records through the registrar. For information on how to register DS records, contact your registrar (designated business operator).
If your registrar (designated business operator) supports CDS records, DS records are updated automatically by referencing the registered CDS records. You do not have to update DS records by yourselves.
To find out whether your registrar supports CDS records, contact your registrar (designated business operator).
DNSSEC signing is to be performed automatically by default. Note, however, that you will need to register DS records with a higher zone to actually enable DNSSEC validation.
[ Note ]
Although it is possible to use this service without registering DS records, DNSSEC cannot be validated. Therefore, we recommend disabling the DNSSEC signature settings.
DNSSEC Signature Settings
The default setting is "Enabled."
However, even though the setting is "Enabled," this does not necessarily mean that you can conduct DNSSEC validation immediately. The DNSSEC status shown below must be "Enabled."
DNSSEC Status
The current DNSSEC status is displayed. The types of status are as shown in the table below. When you change the setting from Disabled to Enabled or from Enabled to Disabled, you need to register or delete each DS record with respect to the higher zone. The status will continuously be "Enabling (Disabling)" and will not transit to the next status until the registration or deletion is confirmed. Refer to "Updating DS Records" for more information on registration/deletion of DS records.
| Status | Use signature | Validation | DS record | DNSSEC Signature Settings | Description | |
|---|---|---|---|---|---|---|
| Enabled → Disabled | Disabled → Enabled | |||||
| Unpublished Zone | Does not exist | Not possible | Does not exist | Not possible | - | You are still in a period prior to first date of use after you concluded a contract. |
| Disabled | Does not exist | Not possible | Does not exist | - | Possible | The signature has not been provided yet. |
| Enabling | Exists | Not possible | Exists | Possible | - | The status is being changed from Disabled to Enabled. |
| Enabled | Exists | Possible | Exists | Possible | - | DNSSEC is enabled. |
| Disabling | Exists | Possible | Exists | - | Not possible | The status is being changed from Enabled to Disabled. |
[ Note ]
- In the above table, if "Exists" is set in the "DS record" field, a DS record is registered (or may be registered) in the registrar (designated business operator). If a DNSSEC signature is removed while a DS record is registered, name resolution cannot be performed from the cache server with the DNSSEC validation enabled.
- Such an event does not occur when switching between Enabled and Disabled for the DNSSEC Signature Settings. However, if you change the name server (change an NS record or apply to the registrar (designated business operator) for a change of name server) while the signature settings are "Enabled," name resolution becomes unavailable because an appropriate signature cannot be acquired from the change destination name server. Do not change the name server while DS records exist (i.e., while the status is Enabling/Enabled/Disabling).
- Enabling/Disabling takes a few days. Leave time in the schedule for disabling DNSSEC.
KSK Rollover
Because the possibility that the key may be analyzed increases if you keep using a single DNSSEC signature key for a long period of time, we recommend updating it periodically.
You can update the KSK (Key Signing Key) of all types of DNSSEC signature key in this section.
[ Reference ]
KSK rollover is not performed automatically. We recommend executing it manually at intervals of one year to several years.
It takes a few days at the earliest to complete a KSK rollover operation.
- Click "KSK Rollover."
- Click "Rollover."
The rollover operation starts. Name resolution and signature validation will not be affected even during a rollover operation.
[ Note ]
- Updating DS Records is required during a KSK rollover operation. If DS records have not been updated for ten days since DS record updating became possible, KSK rollover will be cancelled and the previous KSK will continue to be used.
- Regarding a ZSK (Zone Signing Key), rollover is performed automatically in the system, so you do not have to do anything.
Updating DS Records
For domains that do not use the "Domain Management Service," a message that prompts updating of DS records will appear soon after you change DNSSEC signature settings or start KSK rollover.
| Operation | Details of DS record updates | |
|---|---|---|
| Enabling DNSSEC | Registering DS records | Register the DS records being displayed with the higher name server. |
| Disabling DNSSEC | Deleting DS records | Delete all the registered DS records from the higher name server. |
| KSK Rollover | Updating DS records | Delete all the registered DS records from the higher name server, and register the displayed DS records. |
If you use our Domain Management Service, DS records are also updated automatically. The above message is displayed, but DS records are updated automatically. You do not have to take care of any operations manually.
If you use another registrar (designated business operator) that supports CDS records, DS records are updated automatically by referencing the CDS records registered with this service. You do not have to update DS records by yourselves.
To find out whether your registrar supports CDS records, contact your registrar (designated business operator).
[ Note ]
- Unless a DS record is registered/deleted, the status will not change from "Enabling (Disabling)." If DS records have not been updated for ten days since DS record updating became possible, KSK rollover will be cancelled and the previous KSK will continue to be used.
- Do not change the name server (do not change NS records or apply to the registrar (designated business operator) for a change of name server) while DS records are registered. Name resolution becomes unavailable from the cache server with the DNSSEC validation enabled.
Using CDS Records
This service supports CDS (child DS) records.
A CDS record is automatically registered with the zone when enabling or disabling DNSSEC is required or updating DS records is required in a KSK rollover operation. When the domain registry or the registrar supports CDS records, you do not have to perform any DS record update operations because DS records are updated automatically by referencing the registered CDS record. To find out whether the domain registry or the registrar supports CDS records, contact your registrar (designated business operator).
In addition, when the DNSSEC status of a zone for which you have signed up is "Enabled" and when the zone contains a subdomain and the authority is delegated properly, whether or not CDS records exist in the relevant subdomain is checked periodically. If CDS records exist and there is no problem with their contents, DS records are registered automatically with the contracted zone.
Refer to RFC8078 for more information on CDS records.
[ Reference ]
After registration of a CDS record, it may take a few hours to a few days before DS records are registered.
CDNSKEY is not referenced in this service.