Saturday , January 23 2021

How to protect and sign your domain with DNSSEC using domain registrars

With DNSSEC, yours registrar of domain names plays a key role in linking the signed domain to top-level name servers to form a "chain of trust". This trust relationship starts from the "root" of the DNS system, then passes to the top-level domains (TLD) and then to second-level domain names ("") and from there.

To sign your domain with DNSSEC and have it join the global trust chain, you need three conditions to be true:

1. YOUR HIGH LEVEL DOMAIN (TLD) MUST BE SIGNED – The main TLDs like .com, .org, .net have all been signed as they have a good number of "TLD codes per country" (ccTLD), but many ccTLDs have yet to be signed. View the complete list of signed TLDs to confirm that your TLD has been signed.

2. YOUR DOMAIN REGISTRY MUST SUPPORT DNSSEC – The registrar in which the domain is registered must support DNSSEC. In particular, they must be able to accept and sign the Delegation Signer (DS) records that contain the necessary information about the keys used to sign the DNS zone. They must also be able to provide these DS records to the parent domain (which is typically a TLD).

Check the list of known registrars to support DNSSEC managed by ICANN. If your registrar is listed, you may simply have to check their documentation to learn more about their DNSSEC support (see our tutorials below for some registrars). If your registrar is not listed, you may want to contact them to find out if they already support DNSSEC or, if not, when they do.

3. THE DNS ASSISTANCE OWNER MUST SUPPORT DNSSEC – Very often a "registrar" can also provide "DNS Hosting" services in which they will host DNS records, allow them to manage such records, publish them on global DNS, etc. However, it is possible to use a different provider for the actual hosting of DNS records. (see an example) You can also choose to manage your name servers and manage DNS hosting directly. Regardless of whether DNS hosting is provided by your registrar, by another company or by yourself, DNSSEC support is required. Many DNS hosting providers automate DNSSEC services so that all key generation and signature operations are automatically managed on behalf of the user.

See the "More Information" section later in this page for a further description of how it works.

The following links provide tutorials on how to sign your domain name with DNSSEC using the DNS registrars and hosting providers listed.

The Internet Society Deploy360 program does not recommend or endorse any particular domain registrars. The information provided here helps users understand how to sign their domains with DNSSEC. WE ARE LOOKING FOR ADDING TUTORIAL HERE FOR ALL THE REGISTRARS THAT CURRENTLY SUPPORT DNSSEC. If you know of an additional registrar we should include, please contact us.

Registrars that support DNSSEC for registration and hosting

There are a large number of registrars that now support DNSSEC for domain registration or DNS hosting. Please visit:

To help people understand the process, we've written a couple of tutorials for these registrars that support DNSSEC for domain registration and DNS hosting.

Registrars that support DNSSEC only for domain registration

These registrars provide a process to add Delegation Signer (DS) records to your domain but do not provide DNSSEC signature of hosted domains (or do not offer DNS hosting). We have written a detailed example of how DNSSEC can work in this situation.

In addition to this list, the Internet Corporation for assigned names and numbers (ICANN) maintains a list of registrars that support the use of DS records. The Public Interest Register (PIR), the registry for .org, also maintains a list of registrars that support DNSSEC (look for a "Yes" in the final column). We will try to add tutorials on many of these registrars as we learn about their web interfaces.

More information

There are two elements to "sign" your domain:

  1. Your domain records must be signed with keys created for your domain.
  2. Information about your keys must be registered in a Delegation Signer (DS)recording stored in parent domain or TLD.

This "DS record" on the parent name server is what links the signed domain to the wider "chain of trust".

To make it work, the registrar of your domain name duty supports DNSSEC and can provide relevant information to parent nameservers for a domain that creates this DS record. Note that it makes a registrar of domain names not duty guest your domain records and some registrars differ between providing "registration" or "parking" services and providing "DNS Hosting" Services.

If you register your domain with a registrar and host your DNS records with another registrar / DNS hosting provider (or host DNS records on your nameservers), the report is this:

  • Your domain registrar:
    • Keep a DS record containing information about the key used to sign your domain
    • Contains the NS (name server) records that point to the name servers that host your domain
    • Provides relevant information to the parent domain or top-level domain to create a DS record at that highest level
  • Your DNS hosting provider (or your name server if you're hosting the domain yourself):
    • Sign the domain records with the appropriate keys
    • Provides relevant information to your registrar for creating the required DS record

If you want to see this report in action, check out our detailed example on using DNSSEC with a registrar and a different DNS hosting provider for more information.

Source link

Leave a Reply

Your email address will not be published.