How to Install DNSSEC
DNSSEC is a way to digitally "sign" your DNS data, preventing man-in-the-middle DNS attacks. If you have been provided with a DNSSEC record from your DNS provider, you can use the following steps to install it.
⚠️️ Warning
This guide walks through how to enable DNSSEC on a domain not using Porkbun's nameservers. If you are using Porkbun's nameservers, please refer to the following guide instead: How to enable Porkbun's Cloudflare DNSSEC
Please note that most registries only support dsData. Some ccTLD registries, such as .eu, .de, and .nl only support keyData. If you get an error while creating a DNSSEC record, try creating it exclusively with the dsData information. If that doesn't work, try creating it exclusively with the keyData information.
That's it! The DNSSEC record is created. Resolvers such as Google's 8.8.8.8 service will now check every DNS lookup to make sure your authoritative DNS server (see: How to assign nameservers) is returning records signed by the DNSSEC record you just installed, ensuring a man-in-the-middle attack is not occurring. Your domain should now pass DNSSEC validation using a service such as https://dnssec-analyzer.verisignlabs.com/
The following is a brief explanation of what each entry means.
- Key Tag
- Used to identify the DNSSEC for the domain
- Algorithm
- Identifies the algorithm used to create the signature
- Digest Type
- Identifies the algorithm used to create the digest
- Digest
- Digest integer value
Key Data
Not all registries support keyData. If you get an error while creating a DNSSEC record, try creating it without keyData information.
- Max Sig Life
- Indicates the amount of time in seconds the signature is valid
- Flags
- Indicates the key type (Zone-signing or Key-signing)
- Protocol
- Identifies the protocol for the key match-up
- Key Data Algorithm
- Identifies the algorithm for generating key data
- Public Key
- Key the registry uses to encrypt the DS records