How to Enable DNSSEC for Your Domain Print

  • DNSSEC Security dns
  • 0

This article explains how to secure your domain name using Domain Name System Security Extensions (DNSSEC). Enabling DNSSEC adds a layer of security to your domain by attaching cryptographic signatures to your Domain Name System (DNS) records, protecting your visitors from DNS spoofing and cache poisoning attacks.

Objective

To enable DNSSEC on a domain zone hosted on our name servers and submit the required cryptographic delegation signer (DS) records to the registry.

Prerequisites

Before you begin, ensure that your domain is configured to use our official name servers:

  • nsw.name-servers.net.au

  • nsx.name-servers.net.au

  • nsy.name-servers.net.au

  • nsz.name-servers.net.au

Step-by-Step Instructions

Phase 1: Generate the DNSSEC Keys

Follow these steps within your client portal to generate your unique cryptographic keys:

  • Log in to your client portal.

  • Click on Domains >> Manage DNS in the main navigation menu.

  • Locate the domain zone you wish to secure and click Edit next to it.

  • In the top-right corner of the zone management screen, click on the 3 dots icon.

  • Select DNSSEC from the dropdown menu.

  • Click the Enable DNSSEC button.

The system will now generate and display your unique DNS Key and Delegation Signer (DS) records.

Security Warning: The generated DNS cryptographic keys must be kept secure. Do not share these keys with anyone under any circumstances.

Phase 2: Enable DNSSEC at the Registry

Generating the keys on our nameservers is only the first half of the process. To complete the security chain, the keys must be registered with the top-level domain (TLD) registry.

To enable DNSSEC at the registry level, please open a support ticket with our team and provide the following exact details generated from Phase 1:

  • Key Tag: A unique 5-digit integer identifier assigned to your key pair (e.g., 24953).

  • Algorithm: The signing algorithm utilized by the host. We highly recommend and typically use 13 (ECDSAP256SHA256).

  • Digest Type: The hashing function applied to the key metadata. As per our infrastructure policy, you must choose SHA-256 (Algorithm 2).

  • Digest: The long, alphanumeric cryptographic fingerprint string that represents your public key.

Our support team will apply these records to your domain registration at the registry level to activate full DNSSEC protection.

Verification

Once our support team confirms that the DS records have been submitted to the registry, you can verify that DNSSEC is operating correctly:

  • Visit an external DNSSEC validation tool, such as the Verisign DNSSEC Analyzer or dnsviz.net.

  • Enter your domain name and run the test.

  • Verify that a secure, unbroken chain of trust is established from the root zone down to your domain's authoritative name servers.


Was this answer helpful?

« Back