Skip to content

DNSSEC

DNSSEC is an extension to DNS which allows DNS zones and records to be cryptographically signed. DNS resolvers and clients can then use these signatures to verify that records are correct and haven't been manipulated or spoofed in forwarding, e.g. through DNS cache poisoning.

The CyberEdge's DNS service can validate DNS records with DNSSEC as part of responding to DNS queries. DNSSEC validation can be configured on the Services > DNS page of the CyberEdge management UI.

The DNSSEC Validation field has three configuration options:

  • Do not validate: The CyberEdge will not do any DNSSEC validation of DNS records when responding to queries. This is currently the recommended setting, as DNSSEC can cause some issues if misconfigured on important zones.

  • Validate for DNSSEC-aware clients: The CyberEdge will use DNSSEC to validate DNS records if a DNS client is "DNSSEC-aware". A DNSSEC-aware client will set the "DNSSEC OK" ("DO") or "Authenticated Data" ("AD") flag bits in its DNS queries. For queries without this flag, the CyberEdge will not validate DNSSEC signatures.

  • Always validate: The CyberEdge will validate DNSSEC signatures for all DNS queries, whether they have DNSSEC flags set or not.

If DNSSEC validation fails on DNS records, i.e. a DNSSEC signature exists for the DNS record but it does not match the record data returned, the CyberEdge will give a DNS "SERVFAIL" response to DNS clients instead of giving the DNS record data fetched. This is the intended behaviour when DNS validation is active: the CyberEdge will prefer giving an error instead of forwarding DNS data which may have been spoofed or poisoned by a malicious party.

DNSSEC is quite complex to implement and maintain on a domain, and it's possible for DNSSEC validation to fail on a DNS zone due to misconfiguration by the zone administrator, rather than by malicious action. If this occurs and DNSSEC validation is in effect, it's possible for an important domain to become effectively unreachable by clients.

For this reason, it's recommended that "DNSSEC Validation" be set to "Do not validate" unless system administrators have a good understanding of DNSSEC and are ready to debug issues on important domains if they occur.

Configure DNSSEC

To set your DNSSEC configuration go to System > DNS > DNS Service;

  1. In DNSSEC validation, select the required option
  2. Click "Save"
  3. Click "Save" and "Apply Changes"

DNSSEC validation setting apply to all network zones.