Enabling DNSSEC
Enabling DNSSEC
DNSSEC activation involves several steps:
.1the system checks the maximum TTL in the domain zone;
.2signs the domain zone;
.3generates a chain of trust.
Checking the maximum DNS TTL
The maximum DNS TTL must be less than 2 weeks. The default value is 3 hours.
To set the maximum TTL, navigate to Domains → Domain names → select a domain → click Records → TTL, sec. The default value is 1 hour (3600 sec).
Signing domain zone
To sign a domain zone, go to Domains → Domain names → select a domain → click Edit → Sign domain. The system will start a background process to sign the domain zone. KSK and ZSK will be generated according to the specified parameters. When signing the domain zone, you will see the icon
in the Status column. You cannot Edit or Delete the domains during that process.
Once the system signs the domain zone you will see the notification icon
in the Status column. The "Unpublished DS-records" banner in the panel interface and the DNSSEC button will become active for the domain.
The domain zone signing function is available only to "Users" and "Administrators".
Creating a chain of trust
To create a chain of trust, you need to transfer DS-records (or even DNSKEY-records KSK, depending on a registrar) into the parent zone. You can see the information about the main key parameters and their DNSKEY and DS records in Domains → Domain names → select a domain → DNSSEC.
The following data are displayed for every DS-record:
- Start of record — beginning of the DS-record;
- Tag — KSK-key identifier;
- Algorithm — encryption digest identifier;
- Digest type — digest type identifier;
- Digest — digest content.
Show DNSKEY — click the button to see a table with DNSKEY-records. The following data are shown for every record DNSKEY-record:
- Start of record — beginning of the DNSKEY-record;
- Flags — key type identifier;
- Protocol — DNSSEC protocol number;
- Algorithm — encryption algorithm identifier;
- Public key — public part of the key;
- Tag — KSK-key identifier.
DS-records are sent in one of the following ways:
.1Add records in the domain control panel interface on a registrar side. If records should be added in the form of strings on the registrar side, you need to group the values of all columns of the DS-record table in ISPmanager. Do not forget to add spaces between them.
.2If the domain zone is located along with the parent zone on the same server managed by DNS management Portal , on the DNSSEC parameters page, you will see the Send DS-records to the parent zone button. Click the button to pass the DS-records.
.3If the domain is the parent for the domain on the remote server, create the DS-records of the child domain: Domain names → Records → Add. Learn more in DNS records .
Once in 24 hours, DNS management Portal checks DS-records in the parent zone. At least one DS-record for every KSK must be sent. Once completed, the warning in the Status column will change into the icon
confirming that the domain is protected with DNSSEC.