DNSSEC
Enable DNS Security Extensions for cryptographic protection.
Overview
DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, protecting against DNS spoofing and cache poisoning attacks.
How DNSSEC Works
Client
Query: example.com
DNS Resolver
Verify signatures through chain of trust
↓
Root DNS
(signed)
TLD DNS
(signed)
Your DNS
(signed)
Enabling DNSSEC
Enable DNSSEC
TypeScript:
const dnssec = await client.domains.dnssec.enable('example.com');
console.log('DNSSEC enabled!');
console.log('DS Records:');
for (const ds of dnssec.dsRecords) {
console.log(` Key Tag: ${ds.keyTag}`);
console.log(` Algorithm: ${ds.algorithm}`);
console.log(` Digest Type: ${ds.digestType}`);
console.log(` Digest: ${ds.digest}`);
}Python:
dnssec = client.domains.dnssec.enable("example.com")
print("DNSSEC enabled!")
print("DS Records:")
for ds in dnssec.ds_records:
print(f" Key Tag: {ds.key_tag}")
print(f" Algorithm: {ds.algorithm}")
print(f" Digest Type: {ds.digest_type}")
print(f" Digest: {ds.digest}")Auto-publication
DS records are automatically published to the parent zone when you enable DNSSEC through our API.
Checking DNSSEC Status
const status = await client.domains.dnssec.getStatus('example.com');
console.log('DNSSEC Status:');
console.log(' Enabled:', status.enabled);
console.log(' Validated:', status.validated);
console.log(' Algorithm:', status.algorithm);
console.log(' Key Tag:', status.keyTag);
if (status.dsRecords) {
console.log('DS Records published:', status.dsRecords.length);
}DS Records
DS (Delegation Signer) records link your domain's DNSSEC to the parent zone.
View DS Records
const dnssec = await client.domains.dnssec.getStatus('example.com');
for (const ds of dnssec.dsRecords) {
console.log('DS Record:');
console.log(` ${ds.keyTag} ${ds.algorithm} ${ds.digestType} ${ds.digest}`);
}DS Record Format
<key_tag> <algorithm> <digest_type> <digest>
Example:
12345 13 2 49FD46E6C4B45C55D4AC69CBD3CD34AC1AFE51DE
Algorithm Types
| Algorithm | Name | Recommended |
|---|---|---|
| 8 | RSA/SHA-256 | Yes |
| 13 | ECDSA P-256/SHA-256 | Yes (preferred) |
| 14 | ECDSA P-384/SHA-384 | Yes |
| 15 | Ed25519 | Yes |
| 16 | Ed448 | Yes |
Digest Types
| Type | Name | Recommended |
|---|---|---|
| 2 | SHA-256 | Yes |
| 4 | SHA-384 | Yes |
DNSKEY Records
DNSKEY records contain the public keys used to sign DNS records.
View DNSKEY Records
const keys = await client.domains.dnssec.getKeys('example.com');
for (const key of keys) {
console.log('DNSKEY:');
console.log(` Flags: ${key.flags}`);
console.log(` Protocol: ${key.protocol}`);
console.log(` Algorithm: ${key.algorithm}`);
console.log(` Public Key: ${key.publicKey.substring(0, 50)}...`);
console.log(` Key Type: ${key.keyType}`); // KSK or ZSK
}Key Types
| Type | Description |
|---|---|
| KSK | Key Signing Key - signs DNSKEY records |
| ZSK | Zone Signing Key - signs other records |
Key Rotation
Keys are automatically rotated for security. You can also trigger manual rotation.
Automatic Rotation
await client.domains.dnssec.configure('example.com', {
autoRotation: true,
zskRotationDays: 90,
kskRotationDays: 365,
});Manual Key Rotation
// Rotate ZSK (Zone Signing Key)
await client.domains.dnssec.rotateKey('example.com', {
keyType: 'ZSK',
});
// Rotate KSK (Key Signing Key) - updates DS record
await client.domains.dnssec.rotateKey('example.com', {
keyType: 'KSK',
});Disabling DNSSEC
Disable DNSSEC
await client.domains.dnssec.disable('example.com');
console.log('DNSSEC disabled');
// DS records will be removed from parent zoneImportant: Proper Disable Sequence
When disabling DNSSEC, the proper sequence is:
- Remove DS records from parent zone
- Wait for TTL to expire
- Remove DNSSEC from zone
Our API handles this automatically with the recommended delays.
Validation
Validate DNSSEC Setup
const validation = await client.domains.dnssec.validate('example.com');
console.log('DNSSEC Validation:');
console.log(' Chain valid:', validation.chainValid);
console.log(' DS record found:', validation.dsRecordFound);
console.log(' Signatures valid:', validation.signaturesValid);
if (validation.errors.length > 0) {
console.log('Errors:');
for (const error of validation.errors) {
console.log(` - ${error}`);
}
}Common Validation Errors
| Error | Cause | Solution |
|---|---|---|
NO_DS_RECORD | DS not in parent zone | Wait or republish |
SIGNATURE_EXPIRED | RRSIG expired | Resign zone |
DNSKEY_MISSING | No DNSKEY record | Re-enable DNSSEC |
CHAIN_BROKEN | Parent doesn't validate | Check parent zone |
External Nameservers
If using external nameservers, you need to provide your DS records.
Get DS Records for External Setup
// Generate DS records for external nameservers
const ds = await client.domains.dnssec.generateDs('example.com', {
algorithm: 13, // ECDSA
publicKey: 'your-public-key-base64',
});
console.log('Add this DS record to parent zone:');
console.log(ds.record);Add External DS Record
await client.domains.dnssec.addDs('example.com', {
keyTag: 12345,
algorithm: 13,
digestType: 2,
digest: '49FD46E6C4B45C55D4AC69CBD3CD34AC1AFE51DE',
});Monitoring
DNSSEC Health Checks
const health = await client.domains.dnssec.getHealth('example.com');
console.log('DNSSEC Health:');
console.log(' Status:', health.status); // healthy, degraded, broken
console.log(' Last checked:', health.lastChecked);
console.log(' Next key rotation:', health.nextRotation);
if (health.issues.length > 0) {
console.log('Issues:');
for (const issue of health.issues) {
console.log(` - ${issue.severity}: ${issue.message}`);
}
}Webhooks for DNSSEC Events
const webhook = await client.domains.webhooks.create({
url: 'https://yourapp.com/webhooks/domains',
events: [
'dnssec.enabled',
'dnssec.disabled',
'dnssec.key_rotated',
'dnssec.validation_failed',
],
});Best Practices
1. Enable on All Domains
const domains = await client.domains.list();
for (const domain of domains) {
const status = await client.domains.dnssec.getStatus(domain.domainName);
if (!status.enabled) {
await client.domains.dnssec.enable(domain.domainName);
console.log(`Enabled DNSSEC for ${domain.domainName}`);
}
}2. Monitor Validation
Set up alerts for DNSSEC validation failures:
// Check daily
const domains = await client.domains.list();
for (const domain of domains) {
const health = await client.domains.dnssec.getHealth(domain.domainName);
if (health.status !== 'healthy') {
alertOps(`DNSSEC issue on ${domain.domainName}: ${health.status}`);
}
}3. Use Modern Algorithms
Prefer ECDSA (algorithm 13) over RSA:
- Smaller keys
- Better performance
- Strong security
Next Steps
- Email Integration - Set up for email
- Settings - Domain security
- API Reference - Complete API docs
On This Page
- Overview
- How DNSSEC Works
- Enabling DNSSEC
- Enable DNSSEC
- Auto-publication
- Checking DNSSEC Status
- DS Records
- View DS Records
- DS Record Format
- Algorithm Types
- Digest Types
- DNSKEY Records
- View DNSKEY Records
- Key Types
- Key Rotation
- Automatic Rotation
- Manual Key Rotation
- Disabling DNSSEC
- Disable DNSSEC
- Important: Proper Disable Sequence
- Validation
- Validate DNSSEC Setup
- Common Validation Errors
- External Nameservers
- Get DS Records for External Setup
- Add External DS Record
- Monitoring
- DNSSEC Health Checks
- Webhooks for DNSSEC Events
- Best Practices
- 1. Enable on All Domains
- 2. Monitor Validation
- 3. Use Modern Algorithms
- Next Steps