DNS Security Extensions(DNSSEC) is designed to protect Internet resolvers from forged DNS to prevent DNS tampering.
Your DNS provider supplies the DNSSEC values that you enter for your domains. OpenSRS does not do any DNSSEC validation, and we pass the DNSSEC values on to the registry.
Important: If SystemDNS nameservers are being used, DNSSEC is not supported.
- What to know before adding DNSSEC
- Allowed values
- Adding and removing DNSSEC in the Reseller Control Panel (RCP)
- Adding and removing DNSSEC in the Manage web interface (MWI)
- Configure DNSSEC in the API
What to know before adding DNSSEC
DNSSEC works by digitally signing the DNS records at the authoritative DNS server. A DNS resolver knows whether the information it receives is identical to the authoritative DNS server's information by checking the digital signature. This attests to the address's validity and ensures that the site you visit is the one you intended to go to rather than a site where your personal information could be compromised. If the DNS cannot be authenticated, your browser won't display the site.
For domains being transferred in, DNSSEC records will be maintained and carried over to OpenSRS. You can request the DNSSEC to be removed if you do not want to maintain it upon transferring the domain to us. Please contact support to request DNSSEC removal.
DNSSEC is not supported for all TLDs. You can find the list of DNSSEC-enabled TLDs in our TLD reference chart. There is no cost associated with adding, changing, or removing public key material (e.g., DNSKEY or DS resource records) for supported TLDs. For TLDs where we do not currently support DNSSEC, there will be a $500 USD fee for adding or changing a DNSSEC key. There is no cost for removing a DNSSEC record.
Note: You cannot assign DNSSEC values to the domain at the time of registration, but once the domain is registered, you can modify it and add the DNSSEC values.
Allowed values
Key Tag |
An integer value is used to identify the DNSSEC record. Value cannot be more than 65535. |
Algorithm Type |
The cryptographic algorithm that generates the signature. Allowed values are:
|
Digest Type |
The algorithm type that constructs the digest. Allowed values are:
|
Digest |
The digest is an alpha-numeric string value. The length depends on the digest type used. Allowed values are: SHA-1: 40 characters SHA-256 and GOST: 64 characters SHA-384: 96 characters |
Adding in the RCP
- Log in to the Reseller Control Panel.
- Click Domains.
- Filter/search and click on the domain name you would like to add DNSSEC.
- Scroll down to the DNSSEC section and click Edit.
- Complete the four fields with information obtained from the DNS provider and click Save.
Modifying and removing in the RCP
- Log in to the Reseller Control Panel.
- Click Domains.
- Filter/search and click on the domain name you would like to modify or remove DNSSEC.
- To modify, change the information you wish to update and click Save.
- To delete, click the red - sign next to the record and click Save.
Adding in the MWI
- Log in to the Manage web interface (MWI), aka the end-user portal with the domain for you would like to add DNSSEC.
- Click Name Servers.
- Scroll to the bottom and select Configure DNSSEC.
- Enter the information supplied by your DNS provider and click Save DS Record
Modifying and removing in the MWI
- Log in to the Manage web interface (MWI), aka the end-user portal with the domain for you would like to add DNSSEC.
- Click Name Servers.
- Scroll to the bottom and select Configure DNSSEC.
- To modify, change the information you wish to update and click Save DS Records.
- To delete, click Remove next to the record and click Save DS Record.
Was this article helpful? If not please submit a request here