About Self-Managed DNSSEC
DNSSEC adds a level of security to your domain name's DNS. In the Domain Manager, you can manage Domain Name System Security Extensions (DNSSEC) for the following domain name extensions:
- .com
- .net
- .biz
- .us
- .org
- .eu
- .se
- .at
- .au, .com.au, .net.au, .org.au
- .co.uk, .me.uk, and .org.uk
- .co, .com.co, .net.co, and .nom.co
see DNSSEC FAQ for more information.
You can activate DNSSEC security information for your domain name under the following conditions:
- The domain name is registered through us.
- The registry for the domain name must support DNSSEC for the domain name's extension.
- The domain name must use custom nameservers, and you have control over signing your zones. That is, it is not hosted, parked, or forwarding with us.
- The domain name must be in active status, not flagged by the registry, and have valid Whois data.
Note: If you have a Premium DNS account, you can take advantage of our fully managed DNSSEC services. For more information, see Enable DNSSEC in my Premium DNS account.
To enable DNSSEC, the zone must be digitally signed by your DNS server. During signing, you create a Delegation of Signing (DS) record. Each DS record contains information the registry uses to authenticate using DNSSEC. You use the DS Record and the information it contains to enable DNSSEC for your zone.
You can define up to 10 DS records for each domain name.
Note: For domain names with a .eu extension, you can define a maximum of four DS records. For domain names with a .uk extension (.co.uk, .me.uk, and .org.uk), you can define a maximum of eight DS records.
The domain name extension determines the DNSSEC information you supply for each domain name. Here are the available DNSSEC fields and their usage by domain name extension:
DNSSEC Field | .com / .net / .biz / .us / .uk / .co | .org | .eu |
---|---|---|---|
Key Tag | Required | Required | Required |
Algorithm | Required | Required | Required |
Digest Type | Required | Required | Required |
Max Signature Life | Not Supported | Optional | Not Supported |
Flags | Not Supported | Not Supported | Required |
Protocol | Not Supported | Not Supported | Required |
Digest | Required | Required | Required |
Public Key | Not Supported | Not Supported | Required |
The following information is required to create a DS record for your domain name:
- Key Tag — This is an integer value less than 65536 used to identify the DNSSEC record for the domain name.
- Algorithm — This identifies the cryptographic algorithm used to generate the signature.
- Digest Type — This identifies the algorithm used to construct the digest.
- Max Signature Life — This field specifies the validity period for the signature. The value is expressed in seconds. You can use any integer value larger than zero.
- Flags — This identifies the key type; either a Zone-Signing Key or a Key-Signing Key.
- Protocol — This value identifies the protocol to be used for the electronic key matchup.
- Digest — This is the digest integer value.
- Public Key — Registries use this value to encrypt DS records. Decryption requires a matching public key.
Related Material:
DNSSEC FAQManage DNSSEC for my domain