DNS

How to install DNSSEC

DNSSEC is a way to digitally “sign” your DNS data, preventing man-in-the-middle DNS attacks. If you have been provided with a DNSSEC record from your DNS provider, you can use the following steps to install it.

 

⚠️️ Warning

Porkbun’s authoritative DNS does not support DNSSEC, however, we can install the registry-level record for you as provided by your third-party DNS provider, such as Cloudflare. You can find more information on Cloudflare DNSSEC here.

 

1

Log in. You should arrive at the Domain Management screen. If you’re already logged in, click your username in the top-right corner and select Domain Management.

2

Locate your domain and click the drop-down list to the right. On the menu that appears, click the “Manage” option next to “DNSSEC”.

3

On the “Domain Name System Security” screen you can enter the required information, then select the green “Create” button at the bottom left of the page.

Please note that not all registries support keyData. If you get an error while creating a DNSSEC record, try creating it without keyData information. If that doesn’t work, try creating it with exclusively the keyData information.

 

That’s it! The DNSSEC record is created. Resolvers such as Google’s 8.8.8.8 service will now check every DNS lookup to make sure your authoritative DNS server (see: How to assign nameservers) is returning records signed by the DNSSEC record you just installed, ensuring a man-in-the-middle attack is not occurring. Your domain should now pass DNSSEC validation using a service such as https://dnssec-analyzer.verisignlabs.com/

 

The following is a brief explanation of what each entry means.

 

Key Tag

Used to identify the DNSSEC for the domain

 

Algorithm

Identifies the algorithm used to create the signature

 

Digest Type

Identifies the algorithm used to create the digest

 

Digest

Digest integer value

 

Key Data

Not all registries support keyData. If you get an error while creating a DNSSEC record, try creating it without keyData information.

 

Max Sig Life

Indicates the amount of time in seconds the signature is valid

 

Flags

Indicates the key type (Zone-signing or Key-signing)

 

Protocol

Identifies the protocol for the key match-up

 

Key Data Algorithm

Identifies the algorithm for generating key data

 

Public Key

Key the registry uses to encrypt the DS records

 

 

Did this answer your question?

 

Leave a Reply

Your email address will not be published. Required fields are marked *