About Self-Managed DNSSEC
DNSSEC adds a level of security to your domain name's DNS. In the Domain Manager, you can manage Domain Name System Security Extensions (DNSSEC) for the following domain name extensions:
- .co.uk, .me.uk, and .org.uk
- .co, .com.co, .net.co, and .nom.co
See What is DNSSEC? for more information.
You can activate DNSSEC security information for your domain name under the following conditions:
- The domain name is registered through us.
- The registry for the domain name must support DNSSEC for the domain name's extension.
- The domain name must use custom nameservers, and you have control over signing your zones. That is, it is not hosted, parked, or forwarding with us.
- The domain name must be in active status, not flagged by the registry, and have valid Whois data.
NOTE: If you have a Premium DNS account, you can take advantage of our fully managed DNSSEC services. For more information, see Enabling DNSSEC in Your Premium DNS Account and Enabling DNSSEC for Domain Names Registered Elsewhere.
To enable DNSSEC, the zone must be digitally signed by your DNS server. During signing, you create a Delegation of Signing (DS) record. Each DS record contains information the registry uses to authenticate using DNSSEC. You use the DS Record and the information it contains to enable DNSSEC for your zone.
You can define up to 10 DS records for each domain name.
NOTE: For domain names with a .eu extension, you can define a maximum of four DS records. For domain names with a .uk extension (.co.uk, .me.uk, and .org.uk), you can define a maximum of eight DS records.
The domain name extension determines the DNSSEC information you supply for each domain name. Here are the available DNSSEC fields and their usage by domain name extension:
|DNSSEC Field||.com / .net / .biz / .us / .uk / .co||.org||.eu|
|Max Signature Life||Not Supported||Optional||Not Supported|
|Flags||Not Supported||Not Supported||Required|
|Protocol||Not Supported||Not Supported||Required|
|Public Key||Not Supported||Not Supported||Required|
The following information is required to create a DS record for your domain name:
- Key Tag — This is an integer value less than 65536 used to identify the DNSSEC record for the domain name.
- Algorithm — This identifies the cryptographic algorithm used to generate the signature.
- Digest Type — This identifies the algorithm used to construct the digest.
- Max Signature Life — This field specifies the validity period for the signature. The value is expressed in seconds. You can use any integer value larger than zero.
- Flags — This identifies the key type; either a Zone-Signing Key or a Key-Signing Key.
- Protocol — This value identifies the protocol to be used for the electronic key matchup.
- Digest — This is the digest integer value.
- Public Key — Registries use this value to encrypt DS records. Decryption requires a matching public key.
Related Material:What is DNSSEC?
Managing DNSSEC for Your Domain Name
What is the DNSSEC chain of trust?
Since DNSSEC makes the Internet more secure, why doesn't everyone use it?
What types of websites should enable DNSSEC for their domain name?
How do I enable DNSSEC and sign my zone?
How does DNSSEC work?
Why does my website no longer resolve after I enabled DNSSEC?
Your message was successfully sent.
There was an error in sending your message, please try again.
Have a question about the content of this article?