Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Domains: Managing DNSSEC (Domain Name System Security Extensions)

            Modified on Fri, 31 Jan at 2:16 AM

            Note: This HelpDesk article has information obtained from the Enom article here: https://support.enom.com/support/solutions/articles/201000065386-managing-dnssec


            What is DNSSEC (Domain Name System Security Extensions)?


            Domain Name System Security Extensions (DNSSEC) is a technology that digitally signs a domain's DNS to protect against forged DNS data. The goal is to provide assurance that the DNS records provided to the user are the same as the DNS records published on the DNS server. 


            Note: The default Enom nameservers do not support DNSSEC, so you will need to use third-party nameservers if you would like to enable it.

            Components of a DNSSEC record

            There are six components to a Delegation Signer (DS) key.

            1. Domain Name.
            2. Time to live (TTL)
            3. Key Tag: A numerical value used to identify the DNSSEC record.
            4. Algorithm: The algorithm used to generate the signature.
              • 3 for DSA/SHA1
              • 5 for RSA/SHA1
              • 6 for DSA-NSEC3-SHA1
              • 7 for RSASHA1-NSEC3-SHA1
              • 8 for RSA/SHA-256
              • 9 for RSA/SHA-512
              • 13 for  ECDSA/SHA-256#
              • 15 for ED25519 
              • 16 for ED448
            5. Digest Type: The algorithm type that was used to construct the digest.
              • 1 for SHA-1
              • 2 for SHA-256
            6. Digest: A string value generated by the algorithm.

            The TTL is not used on the Enom side, but the other components are required to add DNSSEC to a domain at Enom.

            Adding DNSSEC

            If your DNS provider has enabled DNSSEC support, they will provide you with a corresponding Delegation Signer (DS) record that must be added to the appropriate registry's DNS zone.

            There is no method for adding a DNSSEC record to an Enom domain from the user interface. To add the DNSSEC record to a domain, you can submit a support ticket here. Include the DS record to add DNSSEC to the domain. Use this format in the body of the request to ensure all of the necessary information is present:

            Domain:
            Key:
            Algorithm:
            Digest Type:
            Digest: 

            Support will add the record to the domain using this information.

            Removing DNSSEC

            If you need to remove DNSSEC, you can submit a support ticket asking to have DNSSEC removed from the domain in question.

            Verifying DNSSEC

            Many registries, Verisign, for example, will show the signed delegation information in a Whois lookup. External, third-party tools are available to view DNSSEC information, such as the Verisign Labs DNSSEC Analyzer or DNS Viz, as well as command-line tools such as dig. A simple dig to check for the DS record and DNSSEC information could be:

            dig DS +dnssec example.com

            These tools should be used to look up a domain's current DNSSEC information to check if it has been successfully added or to view an updated DNSSEC record after any changes.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0