Help Center

Version 2.0

• Managing Domain Names
• Working with DNSSEC

Related Articles

• What is a DS record?
• What is the DNSSEC chain of trust?
• Since DNSSEC makes the Internet more secure, why doesn't everyone use it?
• What types of websites should enable DNSSEC for their domain name?
• How does DNSSEC work?
• What is a key rollover and how often should it occur?
• Why does my website no longer resolve after I enabled DNSSEC?

How do I enable DNSSEC and sign my zone?

To enable DNSSEC you must digitally create private and public keys and generate a Declaration of Signing record during the domain name signing process.

There are a number of resources on the Internet for those familiar with DNS. Refer to your nameserver documentation for more details.

Prerequisites for the Zone Signing Process:

1. Set your domain name to use DNSSEC-aware nameservers. If you are hosting your own nameservers, you must enable DNSSEC on them.
2. Determine the algorithm you want to use to sign your zone file. The domain name's registry specifies the algorithms they support. The following algorithms are in use for DNSSEC:
   • 0 — Reserved
   • 1 — RSA/MD5 [RSAMD6]
   • 2 — Diffie-Hellman [DH]
   • 3 — DSA/SHA-1 [DSA]
   • 4 — Elliptic Curve [ECC]
   • 5 — RSA/SHA-1 [RSASHA1]
   • 252 — Indirect [INDIRECT]
   • 253 — Private [PRIVATEDNS]
   • 254 — Private [PRIVATEOID]
   • 255 — Reserved

The General Zone Signing Process

Specifics for this process are determined by your DNSSEC-aware nameservers and the domain name's registry.

1. Generate a zone signing key.
2. Generate a key signing key.
3. Sign the zone and generate signed zone records.
4. Generate the declaration of signing (DS) record. Use the information in this record to enable DNSSEC for your domain name registered with us.

See Managing DNSSEC for Your Domain Name for information on enabling and managing DNSSEC for your domain name through the Domain Manager.

• Not helpful
• Somewhat helpful
• Helpful
• Very Helpful
• Solved my problem