Please note that the DNSSEC is still a protocol under significant change. As such, we are not compliant with all possible options available under the DNSSEC protocol. We are working to make sure we stay up to date with that.

What is DNSSEC?

Briefly, DNSSEC is a means of securing your domain from certain types of man in the middle attacks by attaching encrypted signatures to the records that are served for it. Not all types of domains can be signed.

Please contact support to see if we support DNSSEC service for your domain type. While it is easiest when we are the registrar for the domain, this is NOT required.

There are two types of keys involved in signing a zone, the Key Signing Key and the Zone Signing Key. Both need to be generated for the zone to be signed. Please do not share these keys with anyone else.

DNSSEC should be strongly considered for domains [zones] that deal with financial, medical, and personal information. Also for domains that handle any other sensitive information or at risk of malicious activity.

Here are the key size restrictions as per our service levels. Sizes listed are the max key size and include all previous key sizes:

  • Domain Plus 512 to 2048 bit
  • DNS Standard – 512 to 2048 bit
  • DNS Pro – 512 to 2048 bit
  • Enterprise – 512 to 2048 bit

DNS-Pro & Enterprise support DNSSEC Algorithm 13 ECDSA Curve P-256 with SHA-256.


Setting Up DNSSEC

To access the DNSSEC feature on your control panel, please do the following:

1. Log into your easyDNS account.
2. Click on MANAGE.

3. Click on DNSSEC under TOOLS.

Generating DNSSEC Keys

1. In the GENERATE DNSSEC KEYS section, fill out the necessary information, select ZONE SIGNING KEY, and click NEXT.

This will create the ZONE SIGNING KEY and display it in your DNSSEC CONFIGURATION/STATUS.

2. Repeat the same process again but choose KEY SIGNING KEY and click NEXT.

NOTE: The shorter the time span you give to a key, the more often you’ll need to roll the keys over. This is explained further in the Rollover Keys section below.

Signing Your Zone

1. In the DNSSEC CONTROL FUNCTIONS section, click on SIGN ZONE.

2. Check both boxes and click on CONFIRM.

Activating DNSSEC For Your Domain

Once you’ve generated your keys and signed your zone, it’s time to activate the signing.

1. In the DNSSEC CONTROL FUNCTIONS section, click on ACTIVATE.

2. Check the box to confirm that you’d like to do this and click on CONFIRM.

Please note that the change can take up to 3 hours to propagate but it will not cause any interruption to service during the time.

Signing The Domain At The Registry

Once you have done the above, the DS records need to be provided to the registry.

If easyDNS is NOT the registrar for your domain, you will need to contact your registrar and provide them with the DS Keys listed at the bottom of the page. You can use the following formatting to provide the information to your current registrar. Note that the values are just an example from the screenshots, so you will want to replace them with your own keys:

Key Tag: 63589
Algorithm Type: 8
Digest Type: 1
Digest: FFE95C4504837FC07C341FE1E803ACD5CE823

Key Tag: 63589
Algorithm Type: 8
Digest Type: 2
Digest: F29355B0FD79C3BA6D199F81C000B2C141B3193BEB14AAA1D94F97B69ECEC2A

If easyDNS is the registrar for the domain, click on PUBLISH DS under the DNSSEC CONTROL FUNCTIONS:

This will automatically send us a notification to publish your keys at the registry. You will be contacted within 48 hours by support to confirm when this has been completed.

DNSSEC With Another DNS Provider

The UPLOAD DS page can be used to upload a DS record to the registry for a domain that has registration with us but DNS is managed elsewhere. You can also manage currently published DS records found at the registry.

Rollover Keys

The keys are not permanent. When they expire or if they become compromised, they need to be changed. This process is called a Key Rollover. A Key Rollover is a process of generating and adding new keys to the activated zone.

To rollover just click on ROLLOVER KEYS within the DNSSEC CONTROL FUNCTIONS section and fill in the necessary information.

Should you select to create your rollover keys and not sign the zone, your DNSSEC status page will show as though the zone is not signed, which is not the case. This option is here for future functionality for pre-publishing rollover keys and is not yet completely functional.

Due to the tricky nature of rollovers, we have added an extra confirmation checkbox at the top. Please be sure to check it or the rollover will not initiate.

The process can take a little while so please be patient. Once the keys have been generated it will alert you that all is done and return you to the DNSSEC status page.

The KSK [Key Signing Key] should be rolled over yearly and the ZSK [Zone Signing Key] should be done quarterly as they’re used more often which will allow for more cryptographic analysis and compromise.

Please note that our DNSSEC feature is currently only available for the following domain extensions:


Leave a Reply