Azure DNS finally supports DNSSEC (Preview)

Hi All,

On Ignite there was the anouncement, that Azure DNS finally supports DNSSEC (in public Preview).

• DNSSEC overview (Preview)
• How to sign your Azure Public DNS zone with DNSSEC (Preview)

Setup

Bevore changing anythin i did run a check on Verisign Labs DNSSEC

Let’s go to Azure Portal and navigate to a DNS Zone. You can now see a “DNSSEC” Icon.

Now let’s “Enable DNSSEC”

Confirm

After a few Seconds you see DNSSEC delegation information

Let’s check again with Verisign Labs DNSSEC. As you can see there is a missing DS Record for the Domain on the parent Zone (.ch in this case).

I’ve logged in at my DNS Registrar and clicked on “Manage DNSSEC Settings”

Adding Values from Azure DNS delegation information

It takes a while until that change has gone trough. But everything is now green in Verisign Labs DNSSEC 🤩

Check DNSSEC

How can you check if a DNS Zone or Record is protected with DNSSEC?

You can use the following PowerShell code. In the Response there is a property “AD” (Authenticated Data) that tells you if the Zone or DNS Record has been protected with DNSSEC.

$Domain = "irgendwoiminternet.ch"
$URI = "https://dns.google/resolve?name=$Domain&type=NS"
$json = Invoke-RestMethod -URI $URI
$json

$Domain = "icewolf.ch"
$URI = "https://dns.google/resolve?name=$Domain&type=NS"
$json = Invoke-RestMethod -URI $URI
$json

Summary

I’ve been waiting long to see this Feature on Azure DNS and i am very happy now. It was not to complicated to set it up. The challenge will probably to figure out how to publish the DS Record on your DNS Hosting Provider.

Regards
Andres Bohren