3.1.15. DNSSEC

Important points:

  • The current domain registrar must be our company.
  • The domain zone must be open for registration with our company (present in the list on registration page).
  • Some zones do not yet support DNSSEC, but are actively working on implementation. As soon as the registry has support, the ability to enable it is immediately available from us.
  • When DNSSEC is enabled, changing NS for a domain is not available. To change NS, you must completely disable DNSSEC.

About DNSSEC

In standard DNS, the authenticity of the received data is not confirmed in any way. Because of this, there is a risk that when DNS records of a domain are received, the data may be spoofed in the process of transmission by attackers, and visitors will unknowingly end up on the attacker's server instead of the real server with the site. DNSSEC (Domain Name System Security Extensions) is a security extension for DNS that solves this problem.

DNSSEC technology provides two major improvements over standard DNS:

  • Data Origin Authtntication. Allows you to make sure that the data is coming from exactly the right zone. For example, whether the records that example.com returns are real example.com records, and if the data is from a cache, whether the data is from the real example.com. For this purpose, DNSSEC builds a chain of trust from the root DNS zone to the DNS records of a particular domain using digital signatures. At each step, you can be sure that the child zone has the trust of the parent zone and that the zone's data has not been compromised.
  • Data Integrity Protection. Allows you to verify that the data has not been modified during the delivery process. For example, if there is example.com data, is it the unmodified example.com data that the example.com administrator created? It is important to note that if there is spoofing, DNSSEC does not correct the data, but only indicates that there has been a change.

DNSSEC complements the standard DNS, but does not replace it. That is, either standard DNS (unvalidated data) or standard DNS plus DNSSEC (validated data) can be used to retrieve domain data. In the first case, the data may be spoofed during delivery and remain undetected, while in the second case, the data received via DNS is additionally verified by DNSSEC data and the spoofing will be immediately detected.

Using DNSSEC ensures that site visitors are directed to the correct server and eliminates the possibility of data spoofing and undetected redirection to a malicious server.

Enable

When the domain is served on our NS, enabling is done at the click of a button, all key generation and DNS record addition is fully automatic.
  1. Open the "DNSSEC" section.
  2. Click "Enable DNSSEC for domain" and confirm the operation with the button in the window:
  3. Wait a few hours to a day for the changes to take effect. When it is finished, a corresponding notification will be sent to email and to the connected messengers.
Key tags with length less than 5 digits are displayed with zeros at the beginning after addition.

When the domain is served on third-party NS, only the DS record is added from our side, all other configuration actions are performed in the control panel of the third-party NS owner.

  1. Open the "DNSSEC" section.
  2. Click "Add record".
  3. Specify the DS record data (key tag, algorithm, digest type and digest) and click "Add":
  4. Wait a few hours to a day for the changes to take effect. When it is finished, a corresponding notification will be sent to email and to the connected messengers.

Disable

  1. Open the "DNSSEC" section.
  2. Click "Disable DNSSEC for domain" and confirm the operation with the button in the window:
  3. Wait a few hours to a day for the changes to take effect. When it is finished, a corresponding notification will be sent to email and to the connected messengers.
  1. Open the "DNSSEC" section.
  2. Delete DS records from the list using the 🗑 button (with confirmation with the button in the window):
  3. Wait a few hours to a day for the changes to take effect. When it is finished, a corresponding notification will be sent to email and to the connected messengers.
Content
    (3)

    Comments

    krutygolov
    2023-07-25 - 10:28 am
    А домен zp.ua не поддерживается?
    verliber
    2023-07-25 - 05:00 pm
    К сожалению, нет, поддерживаются только вышеперечисленные доменные зоны.
    rudenko
    2023-07-25 - 07:29 pm
    Поддержка должна быть на уровне реестра, домен zp.ua еще не внедрил DNSSEC
    shevchouk
    2023-12-19 - 10:49 pm
    Так коли підтримка DNSSEC?
    verliber
    2023-12-20 - 10:31 am
    Нажаль, на цей момент немає термінів додавання підтримки DNSSEC на наших NS. Коли підтримка з'явиться — ми оголосимо цю новину на сайті та у телеграм каналі.
    karlov
    2025-01-14 - 05:31 pm
    Додана підтримка DNSSEC.
    shevchouk
    2025-01-14 - 05:45 pm
    Дякую. Чудова новина!
    r.kaliberda
    2025-12-08 - 04:29 pm
    Я хочу заменить ns на cloudflare, но когда перехожу в раздел DNSSEC чтобы отключить - пишет: Срок регистрации домена истёк

    В чем может быть проблема? И где это проверить/посмотреть?
    rudenko
    2025-12-08 - 04:33 pm
    Если вы говорите про домен seven****.com то срок его регистрации закончился 29 ноября 2025 года. Вам необходимо обратиться к регистратору доменного имени, чтобы его продлить.
    r.kaliberda
    2025-12-08 - 04:45 pm
    Да, о нём:
    Domain Information

    Name
    SEVEN****.COM
    Registry Domain ID
    2205101767_DOMAIN_COM-VRSN
    Registered On
    2017-12-27T09:58:26Z
    Expires On
    2026-12-28T11:59:59Z
    Updated On
    2025-11-29T11:40:31Z
    karlov
    2025-12-09 - 09:36 am
    Домен зарегистрирован в другой компании. Следовательно, управлять DNSSEC и NS нужно в панели управления той компании, где зарегистрирован домен.
    r.kaliberda
    2025-12-09 - 09:42 am
    Понял, спасибо!