Important update 1: Email Support is being transitioned to Webforms. Click here for more information.
Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            DNSSEC Configuration Guide

            DNSSEC (Domain Name System Security Extensions) protects your domain from DNS spoofing and cache-poisoning attacks by cryptographically signing your DNS records. When DNSSEC is enabled, resolvers can verify that responses for your domain are authentic and unmodified. This article describes how to add, view, and remove DNSSEC records for domains managed through OpenSRS.

            How DNSSEC works at the registry

            DNSSEC relies on two related record types. DNSKEY records live in your zone at the DNS host and contain the public keys used to sign the zone. DS (Delegation Signer) records live at the parent (the registry) and contain a cryptographic hash of your DNSKEY. The DS record is what OpenSRS submits to the registry on your behalf — it tells the parent zone "this DNSKEY is authoritative for this domain."

            OpenSRS does not generate or sign your keys. Your DNS provider does. OpenSRS only stores the DS data and forwards it to the registry.

            Warning: A DNSSEC misconfiguration — for example, publishing a DS record that doesn't match your DNSKEY, or removing the DNSKEY before removing the DS — will cause validating resolvers to refuse to resolve your domain. The domain will appear "down" to a large portion of the internet until the mismatch is corrected and DNS caches expire (typically 24–48 hours).

            Before you begin

            • Confirm the TLD supports DNSSEC. Most gTLDs (.com, .net, .org) and most ccTLDs do; a few do not.
            • Have your DS record data ready from your DNS provider: Key Tag, Algorithm, Digest Type, and Digest.
            • Verify your nameservers are responding with signed records before submitting DS data to the registry.
            • You must be logged in to the Reseller Control Panel with permission to manage the domain.

            Step 1: Locate the domain in the Reseller Control Panel

            1. Sign in to the Reseller Control Panel.
            2. Go to Domains > Manage Domains.
            3. Search for the domain and click the domain name to open its management page.

            Step 2: Open DNSSEC settings

            1. On the domain management page, locate the DNSSEC section (under the Nameservers or Advanced settings panel).
            2. Click Manage DNSSEC.

            Step 3: Add a DS record

            1. Click Add DS Record.
            2. Enter the four DS fields from your DNS provider:
              • Key Tag — integer 0–65535
              • Algorithm — for example, 8 (RSA/SHA-256) or 13 (ECDSA Curve P-256 with SHA-256)
              • Digest Type — 1 (SHA-1), 2 (SHA-256), or 4 (SHA-384). Use 2 when possible.
              • Digest — the hex string from your DNS provider
            3. Click Save.

            Example DS record:

            example.com. IN DS 12345 13 2 49FD46E6C4B45C55D4AC69E9F5F1B0F8D6E0BC5CE9C0BC4A8B2D9F2E1A3B4C5D

            OpenSRS forwards the DS record to the registry. Propagation to the parent zone is usually visible within an hour but can take up to 24 hours.

            Step 4: Verify DNSSEC is active

            1. Wait at least one hour after submission.
            2. Use a DNSSEC analyzer such as dnsviz.net or dnssec-analyzer.verisignlabs.com.
            3. Confirm the chain of trust resolves from the root through the TLD to your domain with no errors.

            Step 5: Remove a DS record

            Warning: Always remove DS records from the registry before your DNS provider stops signing the zone. Removing the DNSKEY first will break resolution.

            1. Return to Manage DNSSEC.
            2. Click the delete icon next to the DS record you want to remove.
            3. Confirm the deletion.
            4. Wait 24–48 hours for caches to expire before your DNS provider unsigns the zone.

            Supported algorithms and digest types

            AlgorithmNameRecommended
            8RSA/SHA-256Yes — widely supported
            10RSA/SHA-512Yes
            13ECDSA Curve P-256 with SHA-256Yes — preferred (smaller, faster)
            14ECDSA Curve P-384 with SHA-384Yes
            15Ed25519Yes, where supported
            5, 7RSA/SHA-1, RSASHA1-NSEC3-SHA1No — deprecated
            Digest TypeNameRecommended
            1SHA-1No — deprecated
            2SHA-256Yes
            4SHA-384Yes

            Troubleshooting

            • "Invalid DS record" error on submission. Re-copy the four fields from your DNS provider. The digest is the most common source of paste errors.
            • Domain stops resolving after enabling DNSSEC. Check that your DNS provider is actually serving signed responses (RRSIG records). If not, remove the DS record at OpenSRS immediately.
            • Registry rejects the change. Some TLDs limit the number of DS records per domain or restrict supported algorithms. Check the TLD policy.

            Next steps

            • Roll your keys on a schedule. Coordinate KSK rollovers with your DNS provider and update the DS record at OpenSRS before the old key expires.
            • Review nameserver and glue setup. DNSSEC depends on a healthy delegation. Confirm your nameservers and glue records are correct.
            • If you use Legacy Storefront DNSSEC, see the separate Configuring DNSSEC in Legacy Storefront article — it covers a different product flow.

            Questions? Contact OpenSRS Support.

            How helpful was this article?

            Thanks for your feedback!

            Do you still need help? If so please submit a request here.