Frequently Asked Questions

Managing DNSSEC for Your Domain Name

Print this Article
Last Updated: May 22, 2015 10:27 AM

Domain Name Security Extensions (DNSSEC) add a layer of security to your domain names by attaching digital signatures to their Domain Name System (DNS) information. For more information, see DNSSEC FAQ

Delegation of Signing (DS) records contain the digital signature information for your domain name's DNS. In the Domain Manager, you can manage DS records for the following domain name extensions:

  • .com
  • .net
  • .biz
  • .us
  • .eu
  • .se
  • .org
  • .at
  • in, .co.in, .net.in, .org.in, .firm.in, .gen.in, and .ind.in
  • .co.uk, .me.uk, and .org.uk
  • .co, .com.co, .net.co, and .nom.co

You can work with one or more DS records at one time, depending on the domain name's extension. Use the instructions below to add, edit, or delete DS records. Your DNS manager, such as your hosting company, provides the information you need to create DS records.

NOTE: Not all DNSSEC fields are supported for all domain name extensions. See About Self-Managed DNSSEC for information on the usage of these fields by domain name extension.

If you have a Premium DNS account, we fully manage the DNSSEC for you. For more information, see Enabling DNSSEC in Your Premium DNS Account and Enabling DNSSEC in Your Premium DNS Account.

Creating a Single DS Record

You can use these instructions to create a single DS record.

To Create a Single DS Record

  1. Log in to your Account Manager.
  2. Next to Domains, click Manage.
  3. Select the domain name you want to create a DS record for.
  4. From Nameservers, select Manage DNSSEC DS Records.
  5. Click Add New DS Record.

  6. If applicable, enter or select the following, and then click Next:
    • Key Tag — An integer value less than 65536 that identifies the DNSSEC record for this domain name.
    • Algorithm — The cryptographic algorithm that generates the signature.
    • Digest Type — The algorithm type that constructs the digest.
    • Max Signature Life (in seconds) — The length of time that the key is valid for.
    • Flags — This identifies the key type: a Zone-Signing Key or a Key-Signing Key.
    • Protocol — This value identifies the protocol the electronic key match up uses.
    • Digest — The digest is an alpha-numeric value.
    • Public Key — Registries use this value to encrypt DS records. Decryption requires a matching private key.
  7. We validate the DS record information you enter by searching the key tag on the DNS server to verify it is DNSSEC-enabled.
    • If we find an error, you have the following options:
      • To Override the Error and Confirm the Entries — Select I understand that that continuing with errors..., and then click OK.

        NOTE: Your website might not resolve if you store the invalid DS record information.

      • To Correct the Entries Before Continuing — Click Previous to return to the entry screen and correct the entries.
      • To Exit Without Saving the Entries — Click Cancel, and then click OK.
    • If we do not find errors, click Next, and then click OK twice.

Creating Multiple DS Records at One Time

You can use these instructions to create a maximum of 10 DS records at a time.

NOTE: This process is not available for .eu domain names. For .eu domain names, you can store a maximum of four DS records, and you must use basic mode to enter them.

To Create Multiple DS Records at One Time

  1. Log in to your Account Manager.
  2. Next to Domains, click Manage.
  3. Select the domain name you want to create a DS record for.
  4. From Nameservers, select Manage DNSSEC DS Records. The Manage DS Records screen displays.

    TIP: You can manage DNSSEC services for only one domain name at a time.

  5. Click Add new DS record.
  6. Click Switch to advanced mode.
  7. Enter or copy/paste the following information for up to 10 DS records (in BIND zone file format), and then click Next. Enter one DS record per line. Separate record fields with a space.

    Example:

  8. coolexample.us 3600 IN DS 20160 7 1 A342AAD056A8EA55E9F4F05B33A7333EE9CB1985
  9. Indicate how to apply the records you entered:
    • Replace all existing DS records — This option replaces all existing DS records for the domain name with the current entries.
    • Append to existing DS records — This option appends the current entries to previously-saved DS records for the domain name.

      TIP: Domain names can have a maximum of 10 DS records each with the exception of .eu domain names, which can have a maximum of four records each.

  10. We validate the DS record information you enter by searching the key tag on the DNS server to verify that it is DNSSEC-enabled.
    • If we find an error, you have the following options:
      • To Override the Error and Confirm the Entries — Select I understand that that continuing with errors..., and then click OK.

        NOTE: Your Web page might not resolve if you store the invalid DS record information.

      • To Correct the Entries Before Continuing — Click Previous to return to the entry screen and correct the entries.
      • To Exit Without Saving the Entries — Click Cancel, and then click OK.
    • If we do not find errors, click Next, and then click OK twice.

Editing or Deleting DS Records

Use these instructions to edit or delete existing DS records.

To Edit or Delete DS Records

  1. Log in to your Account Manager.
  2. Next to Domains, click Manage.
  3. Select the domain name you want to update the DS record for.
  4. From Nameservers, select Manage DNSSEC DS Records. The Manage DS Records screen displays all existing DS records.

    TIP: You can manage DNSSEC services for only one domain name at a time.

  5. Do one of the following:
    • To edit a listed entry, click Edit.
    • To delete a listed entry, click Remove. You can cancel the deletion by clicking Undo Remove before saving the changes and submitting them.
  6. We validate the updated DS record information you enter by searching the key tag on the DNS server to verify that it is DNSSEC-enabled.
    • If we find an error, you have the following options:
      • To Override the Error and Confirm the Entries — Select I understand that continuing with errors..., and then click OK.

        NOTE: Your Web page might not resolve if you store the invalid DS record information.

      • To Correct the Entries Before Continuing — Click Previous to return to the entry screen and correct the entries.
      • To Exit Without Saving the Entries — Click Cancel, and then click OK.
    • If we do not find errors, click Next, and then click OK twice.

Related Material:

DNSSEC FAQ
About Self-Managed DNSSEC