How to Setup DNSSEC

DNSSEC is a technology developed to protect us and the Domain Name System (DNS) against these malicious attacks, by digitally signing data so users are sure the answer we get from the DNS is valid. Read more about what DNSSEC is and how it works here. 

Implementing DNSSEC requires several sides cooperating, as it has to be deployed through the chain of DNS servers. Managing the process on the authoritative side bears more difficulties, as zone signing procedure isn’t that simple. But, because we are not all equally tech-savvy, registrars offer a simple process of deploying DNSSEC. Usually, it requires just switching DNSSEC ON on your DNS Management Page. If that is not the case, registrars offer DNSSEC support, so you can activate DNSSEC somewhere else and connect to your domain using this DNSSEC support functionality with your registrar of choice. Let’s explore both cases.

First case – where your registrar generates DNSSEC parameters:

Let’s assume that you have a domain name registered with the company that offers DNSSEC and has DNSSEC implemented. Go to your control panel and find DNSSEC. It usually looks  something like this:

Or something like this:

When you click on the button related to DNSSEC you should get something like this:

This is the DS record constructed from different information retrieved from (relevant authoritative) zone and your domain name. The only thing you should do at this point is to click on SAVE button and everything should work smoothly. Important note: DNSSEC is NOT connected to your website by any means.

Second case – where your registrar is not able to generate DNSSEC parameters:

Your domain name can still remain with that registrar but you will have to use another service that is able to generate data needed for DNSSEC. Let’s see through the example what does it mean. First, locate DNSSEC:

The fields on the screen are not pre-filled like in the first example.

But you can manually fill in the fields.

It means that we should find a service provider that offers DNSSEC and copy/paste necessary information into these fields. For example, you can use CloudFlare.

Follow these steps:

1. Create and/or login to your CloudFlare account.
2. Add new website. After CloudFlare retrieves all information from your existing nameservers, switch to CloudFlare servers by updating DNS server information (CloudFLare will tell you what to do and the registrar where you have the domain name registered can tell you where is that).
3. Enable DNSSEC on CloudFlare and copy the following information…

… to the screen where your domain name is registered.

4. Click SAVE on both screens, at CloudFlare and where your domain name is registered.

That is all. 🙂 Not too complicated, right? Now the question is – does it work? Luckily, there is a very good tool to check if your DNS is configured correctly and if everything works ok.

DNSSEC Verification Tool

Before you start enabling DNSSEC, you can check what’s “wrong” with your domain name from the diagram as it is shown here (green arrows means secure, black insecure).

After successful implementation of DNSSEC this chart should look like this.

How Important is DNSSEC?

Chances are that DNSSEC will become a mandatory security measure for domains and zones operating with sensitive information, just like HTTPS gradually did. It is expected that browsers (Chrome and Firefox) will have built-in DNSSEC validators so that over the time it becomes a security norm. The technology actually complements the results that SSL certificate brings, providing better safety for internet users. Of course, it does not solve all online security issues, but its contribution deserves the attention of webmasters and all those who are working towards making the internet a safer place.

Who Should Adopt the DNSSEC Technology?

In short, websites that handle personal, financial, and proprietary information, because they are at high risk of cyber attacks. However, since cyber criminals became nastier and more unpredictable, their end goal is not necessarily to instantly grab money. They might have more long-term plans. Latest statistics say one in ten people are victims to different levels of cyber crimes, and no doubt about it – they are becoming harder to detect and it can last for months before the victim realizes the harsh truth, especially when it comes to silent identity thefts. That leads us to the conclusion that any domain name owner should have DNSSEC enabled.

Domain.me has always followed security trends and innovations, which is why we enabled DNSSEC the same year it became publicly available, ensuring that all .ME domain registrants can make their websites secured.