DNSSEC stands for Domain Name System Security Extensions and it is a feature of the
Domain Name System (DNS) that authenticates responses to domain name DNS queries.
DNSSEC does not hide DNS lookup results, but it
prevents attackers from falsifying the responses to DNS requests.
As a domain holder, you need to activate DNSSEC in 2 places:
1. The DNS zone. When you enable DNSSEC on the DNS level, the DNS provider automatically creates and rotates the DNSKEY records and manages the zone data signing with RRSIG records. You will be given a DS record to add to the domain registry. You may refer to the DNS zone DNSSEC tutorial to enable DNSSEC if your domain uses Dynu name servers.
2. The domain registry such as .org. A DS record needs to be added to the domain registry through the domain registrar to authenticate a DNSKEY record in the DNS zone. This tutorial shows you how to add a DS record if your domain name is registered with Dynu.
Open a Web browser and type http://www.dynu.com/ControlPanel in the address bar then press the enter key. Use your username/email address and password to log into the control panel.
After logging into the control panel, go to Domain Registration section and click on the domain name for which you want to configure DNSSEC.
In your domain settings, you will see an option to manage DNSSEC.
Take the DS record from the DNS provider and add the record.
Key Tag: A number that identifies the DS record. The tag in this example is 64568.
Algorithm: The method used to produce the message digest. ECDSA/SHA-256 (13) was used in the example above.
Digest Type: The hashing function used to create a message digest. SHA-256 (2) was used in the current example.
Digest: The message digest (the long string in each record) contained in the .ds file.
NOTE:
As a domain holder, you need to activate DNSSEC in 2 places:
1. The DNS zone. When you enable DNSSEC on the DNS level, the DNS provider automatically creates and rotates the DNSKEY records and manages the zone data signing with RRSIG records. You will be given a DS record to add to the domain registry. You may refer to the DNS zone DNSSEC tutorial to enable DNSSEC if your domain uses Dynu name servers.
2. The domain registry such as .org. A DS record needs to be added to the domain registry through the domain registrar to authenticate a DNSKEY record in the DNS zone. This tutorial shows you how to add a DS record if your domain name is registered with Dynu.
STEP 1: Log into the control panel
Open a Web browser and type http://www.dynu.com/ControlPanel in the address bar then press the enter key. Use your username/email address and password to log into the control panel.
STEP 2: Find your domain settings
After logging into the control panel, go to Domain Registration section and click on the domain name for which you want to configure DNSSEC.
STEP 3: Add DS record
In your domain settings, you will see an option to manage DNSSEC.
Take the DS record from the DNS provider and add the record.
Key Tag: A number that identifies the DS record. The tag in this example is 64568.
Algorithm: The method used to produce the message digest. ECDSA/SHA-256 (13) was used in the example above.
Digest Type: The hashing function used to create a message digest. SHA-256 (2) was used in the current example.
Digest: The message digest (the long string in each record) contained in the .ds file.
NOTE:
- If your domain name is registered with us and you also use our DNS/DDNS, the DS record will be added automatically when you enable DNSSEC in the DNS zone. You only need to verify that the DS record is added.
- If your domain name is registered with us but you do not see DNSSEC icon in STEP 3, then the DS record cannot be managed in the control panel yet. You may open a support ticket with details of the DS record and our staff will have the DS record added for you.