Posted by Ryan M. on 31 August 2017 11:45 AM

Please note that the DNSSEC is still a protocol under significant change. As such, we are not compliant with all possible options available under the DNSSEC protocol. We are working to make sure we stay up to date with that.

What is DNSSEC?

Briefly, DNSSEC is a means of securing your domain from certain types of man in the middle attacks by attaching encrypted signatures to the records that are served for it. Not all types of domains can be signed. For an introduction to DNSSEC, please see our article HERE.

Please contact support to see if we support DNSSEC service for your domain type. While it is easiest when we are the registrar for the domain, this is NOT required.

NOTE: The DNSSEC feature is currently NOT available under our Domain Plus service level. For further details on how to upgrade your service level to use this feature, please go HERE
NOTE: Our DNSSEC feature is currently only available for COM, NET, ORG, NAME, TV, CA and CC domains.

There are two types of keys involved in signing a zone, the Key Signing Key and the Zone Signing Key. Both need to be generated for the zone to be signed. Please do not share these keys with anyone else.

Here are the key size restrictions as per our service levels. Sizes listed are max key size and include all previous key sizes:

  • DomainPlus does not support DNSSEC
  • DNS-Standard - 512 bit
  • DNS-Pro - 1024 bit
  • Enterprise - 2048 bit


To access the DNSSEC feature on your control panel, please do the following:

1. Log into your easyDNS account
2. Click on MANAGE for said domain (this will bring you to the DOMAIN ADMINISTRATION page)

DNSSEC with easyDNS

3. Click on the TOOLS tab
4. Within the ADVANCED field, click on DNSSEC

DNSSEC with easyDNS

Generating DNSSEC Keys

1. In the GENERATE DNSSEC KEYS section, fill out the necessary information, select ZONE SIGNING KEY, and click NEXT

DNSSEC with easyDNS

This will create the ZONE SIGNING KEY and display it in your DNSSEC CONFIGURATION/STATUS.

2. Repeat the same process again but choose KEY SIGNING KEY and click NEXT

DNSSEC with easyDNS

NOTE: The shorter the time span you give to a key, the more often you'll need to roll the keys over. This is explained further in the Rollover Keys section below.

Signing Your Zone

1. In the DNSSEC CONTROL FUNCTIONS section, click on SIGN ZONE (this will bring up DNSSEC ZONE SIGNING TOOL)

DNSSEC with easyDNS

2. Check off both boxes and click on CONFIRM

DNSSEC with easyDNS

NOTE: Do not select DLV keys unless you are planning on setting up Domain Look-Aside Validation for the domain type that has not been signed by the registry.

Activating DNSSEC For Your Domain

Once you've generated your keys and signed your zone, it's time activate the signing.


DNSSEC with easyDNS

2. Check the box to confirm that you'd like to do this
3. Click on CONFIRM

DNSSEC with easyDNS

Please note that the change can take up to 3 hours to propagate but it will not cause any interruption to service during the time.

Signing The Domain At The Registry

Once you have done the above, the DS records need to be provided to the registry.

If easyDNS is NOT the registrar for your domain, you will need to contact your registrar and provide them with the DS Keys listed at the top of the page. Please do not share them with anyone else.

If easyDNS is the registrar for the domain, click on PUBLISH DS under the DNSSEC CONTROL FUNCTIONS:

DNSSEC with easyDNS

This will automatically send us a notification to publish your keys at the registry. You will be contacted within 48 hours by support to confirm when this has been completed. 

DNSSEC with easyDNS

NOTE: This is currently only available for NET, COM, NAME, TV, CA and CC domains.

Rollover Keys

Keys are not permanent. When they expire or if they become compromised, they need to be changed. This process is called a Key Rollover. A Key Rollover is a process of generating and adding new keys to the activated zone.

To rollover just click on ROLLOVER KEYS within the DNSSEC CONTROL FUNCTIONS section and fill in the necessary information.

Should you select to create your rollover keys and not sign the zone, your DNSSEC status page will show as though the zone is not signed, which is not the case. This option is here for future functionality for pre-publishing rollover keys and is not yet completely functional.

Due to the tricky nature of rollovers, we have added an extra confirmation checkbox at the top. Please be sure to check it or the rollover will not initiate.

The process can take a little while so please be patient. Once the keys have been generated it will alert you that all is done and return you to the DNSSEC status page.

(6 vote(s))
Not helpful

Comments (0)
Post a new comment
Full Name: