Cygna Labs
SIGN IN

CYGNA DDI SECURITY

Cygna DNSSEC Appliances

Automated, highly available DNS zone integrity protection and authentication.

Cygna DNSSEC Appliances header image

Multi-master support

Cygna DNSSEC appliances support signing primary server redundancy, offering an alternative to networked high security modules. Redundant primaries operate in a primary/backup configuration with real-time updates of zones, resource record sets, signatures, and keys between the redundant pair. Inter-primary status checking is supplemented by a third perspective via the Cygna DDI Executive, adding highly reliable status checking and automated failover.

Selective zone signing

Cygna DNSSEC appliances selectively sign zones based on parameters passed from the Cygna IPControl application. All zones can be signed when deployed to the DNSSEC appliance or selected zones as desired. RFC-compliant zone signing procedures are employed to generate signatures (RRSIG) and authenticated denial of existence records (NSEC/NSEC3). Dynamic updates can be also secured through update-policies, TSIG, or DoH/DoT for secure acceptance into signed zones.

Automation is key

Cygna DNSSEC appliances automatically generate Key Signing Keys (KSKs) and Zone Signing Keys (ZSKs) in accordance with DNSSEC operational best practices and administrator policies. Key metadata tracks status for each key based on key state, from published, to active, inactive, and deleted. Intervals for each state can be managed via the Cygna DNSSEC appliance interface.

Separation of IPAM and security

Cygna DDI applications manage and deploy DNS configuration information to Cygna DNS appliances. Cygna DNSSEC appliances provide a separate user interface and login credentials to enable management of DNSSEC parameters, policies, and metadata. This separation enables you to define least privilege access based on administrator role and skillset to separate DNS configuration from DNS security policy management as desired.

Separation of IPAM and security illustration

Complete DNSSEC ecosystem

DNSSEC multi-master capabilities support redundancy of DNS primary servers. Secondary DNS servers can be deployed as standard Cygna DNS appliances, as zone transfers incorporate transfer of resource record data, including DNSSEC resource records. Cygna DNS appliances operating in a recursion role enable DNSSEC validation by default. This provides for the validation of signed DNS responses. Automated trust anchor management provides for seamless updating of root zone key rollovers. Optional publication of Child Delegation Signer (CDS) records enables parent zones to automatically detect each zone’s KSK rollover.

Complete DNSSEC ecosystem illustration

Let Us Help You Tackle Your IT Challenges

Schedule your demo today to see what's possible.