DNSSEC (Domain Name System Security Extensions) is a technology used for enhancing the security of the internet’s Domain Name System (DNS). It does this by adding a layer of cryptographic protection to DNS records, preventing various forms of cyberattacks, such as DNS cache poisoning and spoofing. DNSSEC ensures data integrity and authenticity by digitally signing DNS data, allowing users to trust that the website they’re connecting to is legitimate. It’s a fundamental tool in safeguarding online communications, as it helps users avoid malicious websites and ensures that the DNS responses they receive are accurate and untampered, thereby increasing the overall security and trustworthiness of the internet.
DNSSEC compares a DNS server’s DS record to the DS record at the domain registrar, and when they both match, the record is valid.
Requirements
- Check the OpenSRS TLD Reference Chart to make sure that your domain extension supports DNSSEC
- Access to cPanel’s Zone Editor
- The hosting provider must use a Power DNS nameserver.
Definitions
- DNSSEC – The Domain Name System Security Extensions (DNSSEC) is a suite of extension specifications for securing data exchanged in the Domain Name System (DNS).
- DNSKEY Record – a DNS record type that contains a public signing key. This is created on the Hosting side.
- DS Record – a DNS record type that contains a hash of a DNSKEY record. DS stands for Delegation Signer and is the record used to identify the DNSSEC signing key of a delegated zone. This is created at the Registrar’s side.
Steps
- Key Generation: Generate the public and private keys for the domain. This is done at the domain’s authoritative DNS server (hosting provider side).
- DNSKEY Record Publication: The public key, in the form of a DNSKEY (DNS Key) record, is published in the DNS zone file on the authoritative DNS server for the domain. This informs DNS resolvers about the public key that can be used to verify the authenticity of the DNS Data.
- DS Record Creation: You as the domain owner need to provide this DS record to your Domain Registrar (where you registered your domain). The registrar then adds this DS record to the parent zone.
- Registrar Submission: You must send the DS record to your domain registrar. This can be done in the Domains Manager for the domain. If the option is not there, you’ll need to provide this to the Tech support team so they can enter this in their forms. The DNS record in the parent zone (i.e. .com) gets updated.
- Propagation: Any DNS update will take time to propagate. Once the DS record is propagated, it establishes a chain of trust from the parent zone to your domain.
How to Create the DS (Delegation Signer) Records
DNSSEC involves key pairs, and these pairs are typically generated and managed by your DNS hosting provider. DNSSEC keys are generated at the host, and DS records are generated at the Registrar that the Domain is registered with.
Log in to your Client Area Portal and navigate to the Domains >> Manage DNS >> Edit > DNSSEC >> Enable interface for the domain.
This will take you to the DNS Manager Page. Click on the Pencil Icon to edit.
You’ll be shown the DNS Zone for the domain and if you click on the icon with the three dots next to the “Add Record” button, you will see that DNSSEC is shown as an Additional Action:
After clicking on the DNSSEC icon, you will see the following page:
Click on the “Enable DNSSEC” Confirmation button.
You will then get a confirmation that DNSSEC has been enabled successfully.
When you scroll down, you will see the DS Records just created showing the Key Tag, Algorithm, Digest Type, and Digest.
Now that the Delegation Signer Records (DS Records) are made, you must go to your hosting cPanel account to generate the DNSSEC Keys. DNSSEC Keys can only be created on the hosting side (not from the Domain Manager).
- If you have your Domain registered elsewhere but have hosting with OrangeWebsite, you can create DS keys through the Zone Editor of your cPanel dashboard. Just log in to your cPanel dashboard, navigate to the Domains Section, and then click on the Zone Editor Link.
You’ll then be taken to the Zone Editor page, where you can click on the DNSSEC button:
If no keys are found, you can create a key by clicking on the blue Create Key button:
After clicking on the create key button, a “Confirm Create” popup window will appear.
As displayed, most domain registrars will accept one of these keys.
You will then see the following confirmation page:
How to Apply the DS Key
- In the example abovce, we supplied the Key Tag and the available digests to the Domain Registrar of the domain, which happens not to be with OrangeWebsite. If your domain is registered somewhere else, you may have the option in your Domain Manager of your Domain Registrar to enter the digests or you can request to have their Customer Support Team enter it manually. It just depends on the Domain Registrar that you’re using. If your domain is registered with OrangeWebsite, then you can do this yourself in the Domain Manager.
If your domain is indeed registered through OrangeWebsite (Internet.bs), then this is done in your Client Area’s Domain Manager: My Domains > DNSSEC Management. where you can set the DS record information (NOT the KEY Record, we don’t provide that except in cPanel as the DNSKEY record is built on the hosting server where the domain is pointing, and the DNS server isn’t one,
How to Create DNSSEC Keys in cPanel
Navigate to the cPanel interface for the domain.
Select the Zone Editor in the Domains Section of your cPanel dashboard:
Then, click on the DNSSEC button for the domain:
Click on the blue Create Key button
A Confirm Create pop-up window will appear. Click on the Create button:
And the following page with your DNSSEC Key Details will appear:
Copy those records to the proper interface in your domain’s registrar. Every registrar is a little different, so we can’t provide step-by-step instructions for this process. If you need the public key, not the digest records, navigate back to the DNSSEC page within the Zone Editor. Clicking the View Details arrow on the left edge of the DNSSEC record will allow you to export your public key.
How to Apply DNSSEC in the Client Area
- Login to the Client Area.
Click on the My Domains section.
Select the domain you would like to create DNSSEC for. - Look for Overview on the right-hand side and below you will see DNSSEC Management.
- Fill in the required areas and select Save Changes.
How to Apply the DS or DNSSEC Information to the Domain
- Generate or obtain your DS or DNSSEC information from your cPanel or DNS provider.
- Log in to your domain registrar account and navigate to the DNS settings for your domain.
- Look for an option to enable DNSSEC or to add DS records. This will vary depending on your registrar, but most registrars have a section for DNSSEC or security settings. If not, their Support team can add the DS Records.
- Enter the DS or DNSSEC information you obtained in Step 1 into the appropriate fields. This will typically include a key tag, algorithm, digest type, and digest value.
- Save your changes and wait for the changes to propagate. This can take up to 24 hours.
- Once your DNSSEC information has been applied to your domain, it will be more secure against DNS spoofing attacks and other security threats.
How to Verify DNSSEC for a Domain
There are several ways to verify that DNSSEC has been set.
Within cPanel, navigate to Domains >> Zone Editor, and then click on the DNSEC button.
Next, click on the DNSSEC button that corresponds to the domain you want to check.
Then, click on the right arrow to expand:
You will then be able to see the status of the DNSSEC Keys as active.
Check the Whois Database via a UNIX Terminal
Analyze DNSSEC using VERISIGN’s Online Tool
- Check with VERISIGN LABS at:https://dnssec-analyzer.verisignlabs.com/.
