Configuring DNSSEC for a Domain

DNSSEC is the extension of the DNS protocol that allows signing DNS data in order to secure the domain name resolving process. For general information about DNSSEC and its usage, visit ICANN website and https://tools.ietf.org/html/rfc6781.

Note: The support for DNSSEC is available in ApaxonHost for Linux.

You can do the following to protect DNS data of your domains with DNSSEC:

  • Sign and unsign domain zones according to DNSSEC specifications
  • (Optionally) Specify custom settings to be used for generation of keys
  • Receive notifications
  • View and copy DS resource records
  • View and copy DNSKEY resource record sets.

Signing a Domain Zone

To start using DNSSEC protection of your DNS zone, sign this zone. ApaxonHost signs the zone with an automatically generated signatures using two pairs of asymmetric keys, the Key Signing Key (KSK) and the Zone Signing Key (ZSK).

To sign a domain zone:

  1. Select the domain in Websites & Domains.

  2. Go to DNSSEC and click Sign the DNS Zone.

  3. If the zone has never been signed before, ApaxonHost prompts you to generate the keys that will be used to create a signature.

    You can use the default values or specify custom values. See Recommended Values below.

    image-77026.png

     

  4. If you previously signed the DNS zone, you have the choice to use previously generated keys or generate new ones. If you opt for new keys, you can either use the default values or specify custom values. See Recommended Values below.

    Recommended values of KSK and ZSK generation settings:

    • A long key and a long rollover period for the KSK.

      Every time the Key Signing Key is updated, you need to update the DS records in the parent zone. The recommended values help you to update DS records as seldom as possible without decreasing security.

    • A shorter key and a shorter rollover period for the ZSK.

      The Zone Signing Key is updated automatically. The recommended values help you to save system resources without decreasing security.

      image-77028.png

       

  5. In the end of the signing procedure, ApaxonHost displays DS records, which contain hashes of the Key Signing Keys used for signing the zone.

    Copy the DS resource records to Clipboard and then add them to the parent domain zone. See Updating the DS Records in the Parent Zone below.

    image-77027.png

Updating the DS Records in the Parent Zone

If the parent zone contains outdated DS records, the domain name is no longer resolved by the DNS service.

You will need to manually add or update DS records in the parent domain zone in all cases when DNSSEC keys were updated, namely:

  • You signed a domain zone using newly generated keys.
  • A KSK (Key Signing Key) rollover event took place.

ApaxonHost sends you notifications and gives you some time to update the DS records - this period of time is equal to one KSK rollover period. During this period, the previous DS records are still valid.

If you unsigned the domain zone, you need to manually delete DS records in the parent domain zone.

To update DS records in the parent zone:

For a domain in ApaxonHost, whose parent zone is outside ApaxonHost, update DS records at the domain’s registrar.

For a subdomain of a domain hosted in ApaxonHost and having the DNS zone in ApaxonHost:

  1. Go to DNS settings of the parent domain (Websites & Domains > go to the parent domain > DNS Settings).
  2. Add new records of the DS type (Add Record) and paste the values that ApaxonHost displays in the DS resource records box in the DNSSEC settings of the subdomain.

Unsigning a Domain Zone

Unsigning a domain zone turns off DNSSEC protection for that zone. You may need to unsign a zone if the keys were compromised, and then sign the zone again using new keys.

To unsign a domain zone:

  1. Go to Websites & Domains > select a domain > DNSSEC and click Unsign.
  2. Delete the DS resource records from the parent zone. Otherwise, the domain will not resolve.

Note: When you unsign a zone, the keys are not deleted from ApaxonHost. You can sign the zone again using the same keys.

Viewing DNSKEY Resource Records

You might need to retrieve DNSKEY resource records, which contain public parts of Key Signing Keys used by a domain.

To display DNSKEY records:

  1. Go to Websites & Domains > select a domain > DNSSEC.
  2. Click View DNSKEY Records.
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Adding a Domain Forwarder

To create a domain forwarder in ApaxonHost: Start creating a new domain in Websites &...

Adding and Removing Domains

  If your hosting package includes more than one domain name (website), then you can easily add...

Adding Domain Aliases

Domain aliases allow you to point several domain names to the same website. This can be useful,...

Adding Subdomains

If your hosting package includes subdomains, which are additional third-level domain names, then...

Adding Wildcard Subdomains

Use wildcard subdomains to redirect visitors from non-existent subdomains to one of your...