About

Multi-signer DNSSEC consists of two models that allow different authoritative DNS providers to serve the same zone and have DNSSEC enabled at the same time.

This means better compatibility with DNS features that require live-signing of DNS records (at query time), and also allows you to migrate zones to Cloudflare without having to disable DNSSEC.

You can set up multi-signer DNSSEC using either one of the models described in RFC 8901 ↗.

How it works

Note

This is a simplified explanation to give you context and clarify what is involved in a multi-signer DNSSEC setup. For technical details refer to RFC 8901 ↗. To read more about DNSSEC, refer to How DNSSEC works ↗.

Multi-signer DNSSEC looks into the chain of trust that is necessary for DNSSEC validation and leverages that to guarantee that validation is completed even when multiple providers are involved.

An example case where validation would otherwise be an issue is if a resolver has cached a DNSKEY record set ↗ from one provider but receives a response signed by another provider.

To avoid issues in that case, when you set up multi-signer DNSSEC, you adjust:

1. The Zone Signing Keys (ZSK) that your DNS providers have in their DNSKEY record sets.
2. Who is responsible for the Secure Entry Point (SEP), Key Signing Keys (KSK), and Delegation Signer (DS) record.

When these configurations are adjusted in a way that (a) all involved providers have each other's public Zone Signing Keys (ZSK), and that (b) Delegation Signer (DS) records reference the necessary Key Signing Keys (KSK), then live-signing of zones by multiple providers is no longer a problem.

Model 1

Whereas in both models all providers have each other's Zone Signing Keys (ZSK) added to their DNSKEY record set, in model 1, only one Key Signing Key (KSK) is used to sign such DNSKEY record sets. Management of this KSK and its reference by the DS record (that is, the Secure Entry Point) is the responsibility of the zone owner or only one provider (designated by the zone owner).

Model 2

In model 2, on the other hand, each provider uses its own KSK to sign its own DNSKEY record set, and these KSKs are then referenced by the DS record (Secure Entry Point).

---

What happens when multi-signer DNSSEC is on

When you turn on multi-signer DNSSEC on Cloudflare, the following changes occur:

1. Internal flag: Cloudflare sets an internal flag that allows you to add DNSKEY records to your zone.
2. External ZSKs included: When you add DNSKEY records from your secondary provider, Cloudflare includes them in the DNSKEY RRset.
3. Signing with Cloudflare's KSK: Cloudflare signs the external ZSKs with Cloudflare's KSK, creating a Multi-signer DNSSEC Model 2 RRset.
4. CDS/CDNSKEY generation: If you add your other provider's KSK (not required but recommended), Cloudflare produces CDS/CDNSKEY RRsets for compatibility with validation tools.

This configuration ensures that resolvers can validate responses from either provider, as all ZSK DNSKEYs are signed by the appropriate KSKs referenced in the DS records.

---

Best practices

When setting up multi-signer DNSSEC, follow the best practices below to help you achieve a smooth deployment.

Use model 2

Cloudflare recommends model 2 for multi-signer setups. In this model, each provider has their own KSK DNSKEY, resulting in two DS records (one for each provider). This provides better independence and flexibility.

Understand DNSKEY flags

• ZSKs (Zone Signing Keys): flag 256
• KSKs (Key Signing Keys): flag 257

When exchanging keys between providers, ensure you are adding the correct key type (typically ZSKs) to the DNSKEY RRset.

Adhere to TTLs

Always wait for the TTL duration after making changes to DNSKEYs and DS records before proceeding to the next step. This ensures that cached records expire before new records take effect, preventing validation failures.

Verify provider compatibility

Not all DNS providers support adding external DNSKEYs to their DNSKEY RRset. Before starting a multi-signer migration:

• Verify that your other provider supports multi-signer DNSSEC.
• Confirm they can add Cloudflare's ZSK to their DNSKEY records.
• Test the configuration in a non-production environment if possible.

Some third-party providers may not support the required functionality.

Test thoroughly

Multi-signer DNSSEC involves coordinating cryptographic keys across multiple providers. Before deploying to production:

1. Verify that both providers have each other's ZSKs in their DNSKEY RRsets.
2. Confirm that both DS records are present at the registrar.
3. Use DNSSEC validation tools to test resolution from both providers.
4. Monitor for validation errors during the transition period.