DNSSEC Settings

The DNSSEC Settings section allows Administrative users to set default global DNSSEC values that once set, will be used for every zone signing, rollover, and resigning action for every zone in the account.

Users in the following Groups will have the necessary permissions to configure the DNSSEC Settings. Users not in the mentioned groups will have read only access to the DNSSEC Settings information.

  • OWNER

  • ADMINISTRATIVE

  • DNS-ADMINISTRATION

  • SECURITY-ADMINISTRATION

The following are the DNSSEC settings that can be configured.

RRSIG Validity

The Resource Reset Set Signature (RRSIG) value is used to set the interval period (in days) when signing the responses for a zone. The RRSIG Validity Period can limit the time during which an attacker can take advantage of a compromised key to then forge responses. An attacker that has compromised a Zone Signing Key (ZSK) can use that key only during the Key Signing Key's (KSK's) signature validity interval.

  • If not configured, the default value is 14 (days).

  • Valid values can be between 5-30 (days).

DNSKEY TTL

The Time To Live (TTL) in seconds, that is used for the DNSKEY Resource Record Set (RRSET).

  • If not configured, the default value is 86400 (1 day).

  • Valid values can be between 300-172800 (5 minutes - 2 days).

Once you have provided values within the acceptable range for each field, click the Save button. Clicking the Reset button will restore the previously configured values for each field. Please note, that this will not replace configured values with the default field values.

ZSK Rollover Frequency

The Zone Signing Key (ZSK) signs the data within a zone and needs to be rolled over more often due to the sheer volume of data being signed. The ZSK Rollover Frequency indicates, in days, how often the ZSK keys are rolled over.

  • If not configured, the default value is 30 (days).

  • Valid values can be between 30-120 (days).

KSK Rollover Frequency

The Key Signing Key (KSK) signs the keys within the zone, and because they sign less data than ZSKs, they do not need to be rolled over as often.

  • If not configured, the default value is 365 (days).

  • Valid values can be between 365-1826 (days).

 

Once you have provided values within the acceptable range for each field, click the Save button. Clicking the Reset button will restore the previous configured values for each field. However, this will not replace configured values with the default field values.