DNSSEC Limited Availability
Cisco Umbrella is happy to announce our Limited Availability release for DNSSEC support in our DNS resolvers. With this release, the Cisco Umbrella resolvers will act as fully RFC compliant security aware resolvers by performing DNSSEC validation on queries to authoritative nameservers for signed zones.
The full scope of our support for DNSSEC can be found here:
There are two ways to participate in our DNSSEC Limited Availability period:
1. Use our dedicated DNSSEC enabled anycast IPs
The simplest method to participate in our Limited Availability is to change the IP addresses addresses to which you are sending DNS queries to Umbrella. This can be done for specific networks if you prefer to use a test network at this time.
The above IPs will be available for the duration of the LA period. Once DNSSEC is generally available, we ask that all customer move back to our enterprise anycast IPs.
2. Enabled DNSSEC for your entire organization
If you prefer not to modify the DNS servers currently configured for your networks, you can enable DNSSEC for all identities in your organization by contacting our Support team at email@example.com or online at https://support.umbrella.com.
The Limited Availability release has the following known issues. If you have questions or need additional details, please contact our Support team and reference the issue ID in parentheses.
- Support for all ED algorithms IN RFC 8624 (DPT-36)
- Specifically, ED25519 and ED448 are not supported in the current release.
- Unsigned zone delegations using the same nameservers as a signed parent zone may fail validation (DPT-266)