As organizations adopt multi-cloud and multi-provider DNS strategies, multi-signer DNSSEC has become an important capability for maintaining both resilience and security. With our latest enhancement, we are making multi-signer DNSSEC easier to use by enhancing the API to provide authoritative information about zone signing keys (ZSKs).  

ZSKs managed by NS1 Connect are now available via the NS1 Connect Restful API, bringing greater clarity, safety and automation to DNSSEC operations. 

The Problem We Set Out to Solve 

In a multi-signer DNSSEC setup, multiple providers sign the same zone concurrently. This allows operators to: 

As explored in earlier discussions on multi-signer DNSSEC, the model depends heavily on accurate, authoritative key information. In DNSSEC, ZSKs are responsible for signing DNS records, ensuring their integrity and authenticity. 

Until now, customers using NS1 Connect as a signer faced a limitation as KSKs were available via API, ZSKs were not. This resulted in customers inferring ZSKs via DNS lookups. While workable, this approach introduced ambiguity and operational risk, especially in automated, multi-provider environments where precision is critical. 

What is Changing in NS1 Connect 

We are enhancing the authoritative NS1 Connect API to explicitly expose NS1 Connect created ZSKs associated with a signed zone. 

This includes: 

Authoritative API access to ZSKs managed by NS1 Connect - ZSKs are returned directly from the NS1 Connect signer, rather than inferred from DNS. Keys are explicitly marked as NS1 Connect created and the key role is clearly defined (ZSK vs KSK).  

Most importantly, this data comes from a single authoritative source – the NS1 Connect signer itself.  

What Stays the Same 

Why this Matters 

Multi-signer DNSSEC was designed to enable secure DNS across multiple providers, a foundational requirement for modern, resilient architectures. This enhancement strengthens that model with: 

 
Support for safe, automated multi-signer workflows – eliminating DNS inference and providing authoritative ZSK data.  

Clear ownership, no ambiguity – preventing any accidental mixing of key ownership, reducing the risk of misconfiguration. 

Conclusion 

DNSSEC adds a critical layer of trust to the internet by ensuring DNS responses are authentic and untampered. Multi-signer DNSSEC extends that trust across providers but only if the underlying key management is reliable.  

By making ZSK access explicit, authoritative and automation-friendly, this enhancement removes a key barrier to adoption and helps customers confidently operate DNSSEC in multi-provider environments. 

Read More 

Multi-signer DNSSEC: What it is, why it matters and how it works