You are in the updated Knowledge Base for the Canvas Theme.
If you are still using the old theme you can view the correct Knowledge Base here: https://help.easydns.com/.
Please note that the DNSSEC is still a protocol under significant change. As such, we are not compliant with all possible options available under the DNSSEC protocol. We are working to make sure we stay up to date with that.

What is DNSSEC?

Briefly, DNSSEC is a means of securing your domain from certain types of man in the middle attacks by attaching encrypted signatures to the records that are served for it. Not all types of domains can be signed.

Please contact support to see if we support DNSSEC service for your domain type. While it is easiest when we are the registrar for the domain, this is NOT required.

There are two types of keys involved in signing a zone, the Key Signing Key and the Zone Signing Key. Both need to be generated for the zone to be signed. Please do not share these keys with anyone else.

DNSSEC should be strongly considered for domains [zones] that deal with financial, medical, and personal information. Also for domains that handle any other sensitive information or at risk of malicious activity.

Here are the key size restrictions as per our service levels. Sizes listed are the max key size and include all previous key sizes:

  • Domain Plus 512 to 2048 bit
  • DNS Standard – 512 to 2048 bit
  • DNS Pro – 512 to 2048 bit
  • Enterprise – 512 to 2048 bit

DNS-Pro & Enterprise support DNSSEC Algorithm 13 ECDSA Curve P-256 with SHA-256.


Setting Up DNSSEC

To access the DNSSEC feature on your control panel, please do the following:

1. Log into your easyDNS account
2. Click on MANAGE for said domain (this will bring you to the DOMAIN ADMINISTRATION page)

3. Click on the TOOLS tab
4. Within the ADVANCED field, click on DNSSEC

Generating DNSSEC Keys

1. In the GENERATE DNSSEC KEYS section, fill out the necessary information, select ZONE SIGNING KEY, and click NEXT

This will create the ZONE SIGNING KEY and display it in your DNSSEC CONFIGURATION/STATUS.

2. Repeat the same process again but choose KEY SIGNING KEY and click NEXT

NOTE: The shorter the time span you give to a key, the more often you’ll need to roll the keys over. This is explained further in the Rollover Keys section below.

Signing Your Zone

1. In the DNSSEC CONTROL FUNCTIONS section, click on SIGN ZONE (this will bring up DNSSEC ZONE SIGNING TOOL)

2. Check off both boxes and click on CONFIRM

Activating DNSSEC For Your Domain

Once you’ve generated your keys and signed your zone, it’s time to activate the signing.


2. Check the box to confirm that you’d like to do this
3. Click on CONFIRM

Please note that the change can take up to 3 hours to propagate but it will not cause any interruption to service during the time.

Signing The Domain At The Registry

Once you have done the above, the DS records need to be provided to the registry.

If easyDNS is NOT the registrar for your domain, you will need to contact your registrar and provide them with the DS Keys listed at the top of the page. Please do not share them with anyone else.

If easyDNS is the registrar for the domain, click on PUBLISH DS under the DNSSEC CONTROL FUNCTIONS:

This will automatically send us a notification to publish your keys at the registry. You will be contacted within 48 hours by support to confirm when this has been completed.

Rollover Keys

The keys are not permanent. When they expire or if they become compromised, they need to be changed. This process is called a Key Rollover. A Key Rollover is a process of generating and adding new keys to the activated zone.

To rollover just click on ROLLOVER KEYS within the DNSSEC CONTROL FUNCTIONS section and fill in the necessary information.

Should you select to create your rollover keys and not sign the zone, your DNSSEC status page will show as though the zone is not signed, which is not the case. This option is here for future functionality for pre-publishing rollover keys and is not yet completely functional.

Due to the tricky nature of rollovers, we have added an extra confirmation checkbox at the top. Please be sure to check it or the rollover will not initiate.

The process can take a little while so please be patient. Once the keys have been generated it will alert you that all is done and return you to the DNSSEC status page.

The KSK [Key Signing Key] should be rolled over yearly and the ZSK [Zone Signing Key] should be done quarterly as they’re used more often which will allow for more cryptographic analysis and compromise.

Please note that our DNSSEC feature is currently only available for the following domain extensions:


Leave a Reply