How to sign your Azure Public DNS zone with DNSSEC (Preview)

Article
10/30/2024

This article shows you how to sign your DNS zone with Domain Name System Security Extensions (DNSSEC).

To remove DNSSEC signing from a zone, see How to unsign your Azure Public DNS zone.

Note

DNSSEC zone signing is currently in PREVIEW.
See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
This DNSSEC preview is offered without a requirement to enroll in a preview. You can use Cloud Shell to sign or unsign a zone with Azure PowerShell or Azure CLI. Signing a zone by using the Azure portal is available in the next portal update.

Prerequisites

The DNS zone must be hosted by Azure Public DNS. For more information, see Manage DNS zones.
The parent DNS zone must be signed with DNSSEC. Most major top level domains (.com, .net, .org) are already signed.

Sign a zone with DNSSEC

To protect your DNS zone with DNSSEC, you must first sign the zone. The zone signing process creates a delegation signer (DS) record that must then be added to the parent zone.

To sign your zone with DNSSEC using the Azure portal:

On the Azure portal Home page, search for and select DNS zones.
Select your DNS zone, and then from the zone's Overview page, select DNSSEC. You can select DNSSEC from the menu at the top, or under DNS Management.
Select the Enable DNSSEC checkbox.
When you are prompted to confirm that you wish to enable DNSSEC, select OK.
Wait for zone signing to complete. After the zone is signed, review the DNSSEC delegation information that is displayed. Notice that the status is: Signed but not delegated.
Copy the delegation information and use it to create a DS record in the parent zone.
1. If the parent zone is a top level domain (for example: .com), you must add the DS record at your registrar. Each registrar has its own process. The registrar might ask for values such as the Key Tag, Algorithm, Digest Type, and Key Digest. In the example shown here, these values are:
  
  Key Tag: 4535
  Algorithm: 13
  Digest Type: 2
  Digest: 7A1C9811A965C46319D94D1D4BC6321762B632133F196F876C65802EC5089001
  
  When you provide the DS record to your registrar, the registrar adds the DS record to the parent zone, such as the Top Level Domain (TLD) zone.
2. If you own the parent zone, you can add a DS record directly to the parent yourself. The following example shows how to add a DS record to the DNS zone adatum.com for the child zone secure.adatum.com when both zones are hosted using Azure Public DNS:
3. If you don't own the parent zone, send the DS record to the owner of the parent zone with instructions to add it into their zone.
When the DS record has been uploaded to the parent zone, select the DNSSEC information page for your zone and verify that Signed and delegation established is displayed. Your DNS zone is now fully DNSSEC signed.

Sign a zone using the Azure CLI:

# Ensure you are logged in to your Azure account
az login

# Select the appropriate subscription
az account set --subscription "your-subscription-id"

# Enable DNSSEC for the DNS zone
az network dns dnssec-config create --resource-group "your-resource-group" --zone-name "adatum.com"

# Verify the DNSSEC configuration
az network dns dnssec-config show --resource-group "your-resource-group" --zone-name "adatum.com"

Obtain the delegation information and use it to create a DS record in the parent zone.

You can use the following Azure CLI command to display the DS record information:

az network dns zone show --name "adatum.com" --resource-group "your-resource-group" | jq '.signingKeys[] | select(.delegationSignerInfo != null) | .delegationSignerInfo'

Sample output:

  {
    "digestAlgorithmType": 2,
    "digestValue": "0B9E68FC1711B4AC4EC0FCE5E673EDB0AFDC18F27EA94861CDF08C7100EA776C",
    "record": "26767 13 2 0B9E68FC1711B4AC4EC0FCE5E673EDB0AFDC18F27EA94861CDF08C7100EA776C"
  }

Alternatively, you can also obtain DS information by using dig.exe on the command line:

dig adatum.com DS +dnssec

Sample output:

;; ANSWER SECTION:
adatum.com.        86400   IN      DS      26767 13 2 0B9E68FC1711B4AC4EC0FCE5E673EDB0AFDC18F27EA94861CDF08C71 00EA776C

In these examples, the DS values are:

Key Tag: 26767
Algorithm: 13
Digest Type: 2
Digest: 0B9E68FC1711B4AC4EC0FCE5E673EDB0AFDC18F27EA94861CDF08C7100EA776C

If the parent zone is a top level domain (for example: .com), you must add the DS record at your registrar. Each registrar has its own process.
If you own the parent zone, you can add a DS record directly to the parent yourself. The following example shows how to add a DS record to the DNS zone adatum.com for the child zone secure.adatum.com when both zones are signed and hosted using Azure Public DNS:

az network dns record-set ds add-record --resource-group "your-resource-group" --zone-name "adatum.com" --record-set-name "secure" --key-tag <key-tag> --algorithm <algorithm> --digest <digest> --digest-type <digest-type>

If you don't own the parent zone, send the DS record to the owner of the parent zone with instructions to add it into their zone.

Sign and verify your zone using PowerShell:

# Connect to your Azure account (if not already connected)
Connect-AzAccount

# Select the appropriate subscription
Select-AzSubscription -SubscriptionId "your-subscription-id"

# Enable DNSSEC for the DNS zone
New-AzDnsDnssecConfig -ResourceGroupName "your-resource-group" -ZoneName "adatum.com"

# Verify the DNSSEC configuration
Get-AzDnsDnssecConfig -ResourceGroupName "your-resource-group" -ZoneName "adatum.com"

Obtain the delegation information and use it to create a DS record in the parent zone.

Get-AzDnsDnssecConfig -ResourceGroupName "dns-rg" -ZoneName "adatum.com" | Select-Object -ExpandProperty SigningKey | Select-Object -ExpandProperty delegationSignerInfo

Example output:

DigestAlgorithmType DigestValue                                                      Record
------------------- -----------                                                      ------
                  2 0B9E68FC1711B4AC4EC0FCE5E673EDB0AFDC18F27EA94861CDF08C7100EA776C 26767 13 2 0B9E68FC1711B4AC4EC0FCE5E673EDB0AFDC18F27EA94861CDF08C7100EA776C

In these examples, the DS values are:

Key Tag: 26767
Algorithm: 13
Digest Type: 2
Digest: 0B9E68FC1711B4AC4EC0FCE5E673EDB0AFDC18F27EA94861CDF08C7100EA776C

If the parent zone is a top level domain (for example: .com), you must add the DS record at your registrar. Each registrar has its own process.
If you own the parent zone, you can add a DS record directly to the parent yourself. The following example shows how to add a DS record to the DNS zone adatum.com for the child zone secure.adatum.com when both zones are signed and hosted using Azure Public DNS. Replace <key-tag>, <algorithm>, <digest>, and <digest-type> with the appropriate values from the DS record you queried previously.

$dsRecord = New-AzDnsRecordConfig -DnsRecordType DS -KeyTag <key-tag> -Algorithm <algorithm> -Digest <digest> -DigestType <digest-type>
New-AzDnsRecordSet -ResourceGroupName "dns-rg" -ZoneName "adatum.com" -Name "secure" -RecordType DS -Ttl 3600 -DnsRecords $dsRecord

If you don't own the parent zone, send the DS record to the owner of the parent zone with instructions to add it into their zone.

Next steps

Learn how to unsign a DNS zone.
Learn how to host the reverse lookup zone for your ISP-assigned IP range in Azure DNS.
Learn how to manage reverse DNS records for your Azure services.

Share via

How to sign your Azure Public DNS zone with DNSSEC (Preview)

Prerequisites

Sign a zone with DNSSEC

Next steps

Feedback

Additional resources