Fast DNS: Zone Apex Mapping & DNSSEC


Along with its DDoS resilience and impressive global footprint, Fast DNS affords zone administrators additional technical flexibility and implementation options. One example is Zone Apex Mapping (ZAM) — a feature that enables apex domains to be mapped directly to an Akamai edge IP. The popularity and appeal of ZAM does, however, prompt a number of questions about the technical specifics, such as: is ZAM interoperable with commonplace DNS extensions, like DNSSEC? The short answer is yes: outside of a few caveats which we will explore later in this article, Fast DNS zones can be authenticated with DNSSEC and retain the performance benefits of ZAM. We’ll explore the details of each feature and the interoperability limitations in the sections below. 

Zone Apex Mapping

The IETF specification requires a domain name’s zone apex  (eg. to be mapped to either an A or AAAA record in public DNS . This stipulation can prove burdensome, as CDNs and other services often require a hostname to be CNAMEd to an alias belonging to the third party; in Akamai’s case, this alias is called an edgehostname. Consequently, DNS lookups for apex hostnames typically resolve to an endpoint responsible for redirecting the request to a subdomain. This redirect is necessary since only subdomains can be CNAMEd to an Akamai edgehostname under the aforementioned DNS guidelines. While this is a common setup, this layer 7 redirect and subsequent CNAME lookup can add latency to a user’s web experience.

However, if a zone is hosted by Akamai’s Fast DNS platform with Zone Apex Mapping enabled, Akamai nameservers can directly return an A (or AAAA) record for an Akamai edge IP when an apex domain is queried by a resolver. Consequently, apex domains can be served through Akamai without violating any DNS standards.  

Even if the redirect to the subdomain is still preferred for SEO reasons (or otherwise), Zone Apex Mapping can facilitate a more performant architecture by enabling the possibility of issuing the layer 7 redirects on our edge network, which is typically closer to the end-user than the origin endpoint.

CNAME Optimization 

ZAM can be leveraged for subdomains as well, eliminating any latency associated with the “CNAME chain”. Without ZAM, subdomain lookups might traverse multiple CNAMEs to ultimately retrieve an A record associated with an Akamai edge server IP. With Zone Apex Mapping in place, Fast DNS nameservers can return this Akamai IP directly without any background queries or additional lookups–thus eliminating the CNAME chain. This optimization is possible because Fast DNS nameservers possess all the necessary mapping information in a consolidated table, and are thus able to immediately return an A or AAAA record associated with the optimal edge server.

DNSSEC and Apex Domain Workflow

Along with these performance optimizations, ZAM is compatible with DNSSEC, the protocol extension responsible for authenticating responses and preventing DNS poisoning attacks. With DNSSEC enabled on Fast DNS, each record is digitally signed by a public/private keypair, and successful decryption by a resolver indicates the zone’s data was not forged or manipulated by a malicious third party. While DNSSEC increases the amount of data transferred “over the wire,” Fast DNS’ global anycast network ensures responses remain performant and available for all end users.

There are specific implementation scenarios that will require additional input from an Akamai technical representative. For example, if a secondary Fast DNS implementation is preferred, further information about the primary architecture will be needed, as the primary service may include a similar type of apex Domain optimization that could complicate the workflow. In addition, zones that rely on multiple DNS authorities are not eligible for this combination of features. Since ZAM responses are determined at runtime, the zone admin cannot place dynamic answers into multiple providers as the resource record cannot be successfully signed. 

Future Protocols May Help

Emerging protocols hold promise in terms of enabling this model in a standard way across authoritative DNS providers. A good example is the proposed HTTPSSVC record type that would bind a service definition at the apex level (i.e., Using this new protocol, service definitions at the apex domain might look like this: 2H IN CNAME  2H IN HTTPSSVC 0 0  2H IN CNAME

Along with standardizing apex domain alias capabilities, the proposed HTTPSSVC standard could offer additional server details when a DNS response is returned (i.e. outside of just the IP address) with the goal of facilitating additional security and performance benefits. For example, the IETF draft outlines the opportunity to advertise whether the server supports TLS; with this information in hand, the client could automatically send the initial request over HTTPs to avoid any latent protocol-upgrade redirects, while simultaneously eliminating potential attack vectors. 


ZAM & DNSSEC are two primary examples of how Fast DNS guarantees responses are as performant and secure as possible.  The interoperability of these features affords zone owners additional functionality and flexibility when it comes to managing records. If you are interested in learning more, please contact your Akamai representative today.

Explore Akamai’s Diverse DNS-Oriented Solutions

If you find this blog useful, continue your exploration using the below references. Everything Akamai deploys depends on the DNS technology embedded in our Intelligent Edge™ Platform. Akamai build on this  to enable a range of services for domain owners:

Use this form to ask for Akamai help. We can have someone contact you to help with your DNS questions.


*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Sam Preston. Read the original post at: