DNSSEC and supported TLDs - Powered by NetEarth support services.

Live Chat Software by Kayako

Knowledgebase

(10)Domains on LB Downloads (20)SSLReseller - GlobalSign Certiifcates (6)Customization on the Orderbox (1)Hosting on LB

Knowledgebase: Domains on LB

DNSSEC and supported TLDs

Posted by Chris Pelling on 30 December 2015 05:19 PM

You can activate DNSSEC security information for your domain name under the following conditions:

The domain name is registered through us.
The registry for the domain name must support DNSSEC for the domain name's extension.
The domain name must use custom nameservers, and you have control over signing your zones. That is, it is not hosted, parked, or forwarding with us.
The domain name must be in active status, not flagged by the registry, and have valid Whois data.

To enable DNSSEC, the zone must be digitally signed by your DNS server. During signing, you create a Delegation of Signing (DS) record. Each DS record contains information the registry uses to authenticate using DNSSEC. You use the DS Record and the information it contains to enable DNSSEC for your zone.

You can define up to 10 DS records for each domain name.

For domain names with a .eu extension, you can define a maximum of four DS records. For domain names with a .uk extension (.co.uk, .me.uk, and .org.uk), you can define a maximum of eight DS records.

The domain name extension determines the DNSSEC information you supply for each domain name. Here are the available DNSSEC fields and their usage by domain name extension:

DNSSEC Field	.com / .net / .biz / .us / .uk / .co	.org	.eu
Key Tag	Required	Required	Required
Algorithm	Required	Required	Required
Digest Type	Required	Required	Required
Max Signature Life	Not Supported	Optional	Not Supported
Flags	Not Supported	Not Supported	Required
Protocol	Not Supported	Not Supported	Required
Digest	Required	Required	Required
Public Key	Not Supported	Not Supported	Required

The following information is required to create a DS record for your domain name:

Key Tag — This is an integer value less than 65536 used to identify the DNSSEC record for the domain name.
Algorithm — This identifies the cryptographic algorithm used to generate the signature.
Digest Type — This identifies the algorithm used to construct the digest.
Max Signature Life — This field specifies the validity period for the signature. The value is expressed in seconds. You can use any integer value larger than zero.
Flags — This identifies the key type; either a Zone-Signing Key or a Key-Signing Key.
Protocol — This value identifies the protocol to be used for the electronic key matchup.
Digest — This is the digest integer value.
Public Key — Registries use this value to encrypt DS records. Decryption requires a matching public key.

Help Desk Software by NetEarth