What is DNSSEC?
Domain Name System Security Extensions (DNSSEC) add digital signatures to a domain name's DNS (Domain Name System) to determine the authenticity of the source domain name. It's designed to protect Internet users from forged DNS data, such as a misleading or malicious address instead of the legitimate address that was requested.
When DNSSEC is enabled, DNS lookups use a digital signature to verify that the source of your site's DNS is valid. This helps prevent certain types of attacks; if the digital signature does not match, browsers will not display the site.
Why does my website no longer resolve after I enabled DNSSEC?
The digital signature you store in a DS (Delegation of Signing) record must match the digital signature that your domain's nameservers produce. If it doesn't, the domain can't resolve to your website. Carefully review the DS record information you entered against the zone record stored on the nameserver and make sure they match.
How do I enable DNSSEC and sign my zone?
You can set up self-managed DNSSEC through your DNS provider. To enable self-managed DNSSEC, you must digitally create private and public keys and generate a Declaration of Signing record during the domain name signing process. The requirements and restrictions may vary based on your domain name's registry and your DNS provider. Reach out to your DNS provider for more information.
How do I know if the URL I've requested is DNSSEC-aware?
If there's a verification problem with a DNSSEC-aware URL, you receive a message indicating that the site does not exist.
Unfortunately, browsers aren't currently set up to identify DNSSEC. They don't give you visual feedback for DNSSEC-secured sites like they do with the padlock icon when a site is secured by an SSL.
Since DNSSEC makes the Internet more secure, why doesn't everyone use it?
Implementing DNSSEC across the Internet is a big effort. Implementation requires effort, consensus and expenses (often significant) world-wide. Implementation is moving steadily forward, one domain name extension and its registry at a time. As each extension becomes DNSSEC-aware, we'll be there to support the effort for domain names registered through us.
Is there any reason I shouldn't use DNSSEC?
While there is no absolute reason a domain shouldn't use DNSSEC, there are some things that might make it less desirable . DNSSEC is more information intensive, which can reduce site performance. It also makes DNS more fragile and can slightly increase the chance of failure.
But for those who have valuable data to protect, the potential risks are minimal and enabling DNSSEC can be a valuable decision. If you're not a regular target of malicious activity, don't collect sensitive data and aren't in a high-profile position (i.e., a political figure), you may want to forego DNSSEC.
- Upgrade to Premium DNS and enable DNSSEC to take advantage of our fully managed DNSSEC services.
- For self-managed DNSSEC, add a new DS record to your domain.