DNSSEC on Azure: My Journey with the Private Preview Version

In the world of government organizations, where I currently find myself navigating, there’s an almost unspoken rule: if you’re not listed in the Hall of Fame on Internet.nl, you’re missing the mark on modern internet standards. For those unfamiliar, Internet.nl is a platform that helps organizations check if their internet standards are up-to-date and compliant with the latest security protocols. It assesses everything from DNSSEC to IPv6, ensuring that websites and services are not just functional but secure and future-proof.

For the past few years, the pressure to check all the boxes on Internet.nl has been intense, particularly when it comes to DNSSEC and IPv6 support. Tackling IPv6 was a challenge, but with tools like Azure Front Door, it became manageable. You can read more about how I integrated IPv6 using Azure Front Door in my previous blog here. Additionally, I’ve covered how to use Application Gateway as a public-facing service without the need for Azure Front Door in another blog post.

But the elephant in the room remained: DNSSEC. For the uninitiated, DNSSEC (Domain Name System Security Extensions) adds an extra layer of security by ensuring that the responses to DNS queries are authentic, safeguarding users from attacks like cache poisoning.

Recently, a colleague and I had a conversation that led me to an intriguing discovery: Microsoft’s private DNSSEC configuration, currently available in a private preview. Now, I’m typically hesitant to dive into private versions of software—there’s a certain unpredictability that comes with them. However, the idea of configuring DNSSEC within Azure, especially in a new technology stack, was too tempting to ignore.

Exploring Azure’s Private DNSSEC Configuration

For those ready to dive in, here’s how you can enable DNSSEC on a DNS zone using Azure PowerShell. The command is straightforward:

New-AzDnsDnssecConfig -ResourceGroupName <ResourceGroupName> -ZoneName <ZoneName>

This simple line of code creates or updates the DNSSEC configuration on your specified DNS zone. It might seem basic, but under the hood, it’s a significant step forward in securing your domain.

Here’s what the command does:

• ResourceGroupName: This parameter specifies the name of your resource group.
• ZoneName: This is the DNS zone name where DNSSEC will be enabled.

After running the command, you’ll receive an output similar to this:

Etag                         : 7fbca8a9-849e-48cc-a006-7843bd1e4b7f
Id                           : /subscriptions/<SubscriptionId>/resourceGroups/<ResourceGroupName>/providers/Microsoft.Network/dnszones/<ZoneName>/dnssecConfigs/default
Name                         : default
ProvisioningState            : Succeeded
...

This output indicates that DNSSEC has been successfully enabled, and your DNS zone is now more secure. The ProvisioningState of Succeeded is what you want to see—it means everything went according to plan.

Finally, an Azure business to consumer solution with azure front door in a hall of fame on internet.nl, hippity hip hooray!

The Verdict: Embracing the Future of DNSSEC

While I typically avoid private versions due to their inherent unpredictability, Azure’s private DNSSEC configuration has proven to be a robust solution. It integrates seamlessly into an Infrastructure-as-Code (IaC) approach, which is a critical factor for me.

Configuring DNSSEC was surprisingly straightforward, and the fact that it’s now part of my Azure stack means one less hurdle in achieving full compliance on Internet.nl. If you’re in a similar position, balancing the need for advanced security with the desire for a streamlined, IaC-friendly solution, I highly recommend giving this private preview a shot.

DNSSEC might have been the last piece of the puzzle, but with Azure’s tools, it’s finally in place. This experience has reinforced a critical lesson: sometimes, venturing into the private preview territory can lead to unexpected, yet highly rewarding, outcomes.

For more details on how to implement DNSSEC in your environment, you can refer to the Microsoft documentation here.

Final Thoughts and Advice

As with any private preview feature, there are risks involved. My advice is to proceed with caution. If your development practices embrace trunk-based development and you’re comfortable managing feature toggles, then the small risk of changes between the preview and final release is manageable. Consider the potential impact—if a brief downtime due to DNSSEC updates is acceptable, especially in a non-business-critical environment, I’d say go ahead and give it a try.

However, if your environment is business-critical and downtime is not an option, you might need to think twice. In such cases, while I’m usually an advocate for staying within the Azure ecosystem, I have to give credit where it’s due: Cloudflare excels in this area. With its robust support for IPv6, advanced security features, bot protection, and competitive pricing, Cloudflare is a strong contender in the cloud market.

For those managing business-critical applications where DNSSEC downtime could be catastrophic, my recommendation is to configure a Cloudflare solution in front of your Azure Front Door. This will ensure you get the DNSSEC support you need, while also checking all the boxes on Internet.nl, without compromising your environment’s stability.

In the end, the best solution is the one that aligns with your operational needs and business priorities. Choose wisely, and don’t hesitate to leverage the best tools available to secure your infrastructure.

If you’re intrigued by the idea of a Cloudflare solution or exploring a multicloud strategy, feel free to reach out. I’d love to collaborate and put some effort into helping you design a robust, future-proof architecture. Whether you’re considering a deeper dive into Cloudflare or just looking for advice on managing a multicloud environment, I’m here to help. Let’s make sure your infrastructure is not just compliant, but resilient and ready for whatever comes next.