DNSSEC adds two important features to the DNS protocol:
- Data origin authentication allows a resolver to cryptographically verify that the data it received actually came from the zone where it believes the data originated.
- Data integrity protection allows the resolver to know that the data hasn't been modified in transit since it was originally signed by the zone owner with the zone's private key.
All domains registered with Deck8 support DNSSEC. This article shows steps when using DNS supplied with hosting packages, if you are using different DNS providers DNSSEC can still be enabled but you will need to check with DNS provider for further details on enabling at zone level (step 1).
Step 1 - Enabling DNSSEC for zone
This step is done from within plesk. You can access this in client area under "My Services", select relevant hosting package and click "Login to Plesk Control Panel" buttom at bottom of page.
Select "DNSSEC" option for relevant domain under "Websites & Domains" in control panel.
Select "Sign the DNS Zone" on preceeding screen.
The preceeding box will allow you to make adjustments to algorithm, key size and rollover period. There is no need to change these from default options unless required.
Press OK when you are happy with settings and after a short time you will get a confirmation screen with the signing keys.
This part is now complete, these keys will now need to be added to domain registry in part 2.
Part 2 - Adding keys to domain
Log in to your client panel and goto "My Domains" and select domain you wish to enable DNSSEC for.
Select "Manage DNSSEC DS Records" under Manage box.
Enter the details provided in part 1 for first entry. They are in same order as provided in control panel so with above example first entry;
- Key Tag - 36605
- Algorithm - 8 [RSASHA256]
- Digest Type - 2 [SHA-256]
- Digest - 89F37E28D4148CD44638B0F2E231EA2A733AE648393874EF5EC034903563839A
Click Add and repeat with information provided for second key and add. Once both keys have been entered press Save Changes
Once settings have been saved DNSSEC will be active for your domain.