How To Secure And Sign Your Domain With DNSSEC Using Domain Registrars

With DNSSEC, your domain name registrar plays a critical role in linking your signed domain to the higher-level name servers to form a “chain of trust“. This trust relationship begins at the “root” of the DNS system, then goes to the top-level domains (TLDs) and then to second level domain names (“”) and on from there.

To sign your domain with DNSSEC and have it participate in the global chain of trust, you need three conditions to be true:

1. YOUR TOP-LEVEL DOMAIN (TLD) MUST BE SIGNED – The major TLDs such as .com, .org, .net have all been signed as have a good number of “country code TLDs” (ccTLDs), but many ccTLDs still need to be signed. View the full list of signed TLDs to confirm that your TLD has been signed.

2. YOUR DOMAIN REGISTRAR MUST SUPPORT DNSSEC – The registrar where you registered your domain must support DNSSEC. Specifically, they need to be able to accept and sign Delegation Signer (DS) records that contain the necessary information about the keys used to sign your DNS zone. They also need to be able to provide these DS records to the parent domain (which is typically a TLD).

Check the list of registrars known to support DNSSEC maintained by ICANN. If your registrar is listed, you may simply need to check their documentation to learn more about their DNSSEC support (see our tutorials below for some registrars). If your registrar is not listed, you may want to contact them to find out if they already support DNSSEC or if not, when they will be doing so.

3. YOUR DNS HOSTING PROVIDER MUST SUPPORT DNSSEC – Very often a “registrar” may also provide “DNS Hosting” services where they will host your DNS records, allow you to manage those records, publish them to the global DNS, etc. However, you may use a different provider for the actual hosting of your DNS records. (see an example) You may also choose to operate your own nameservers and directly manage the DNS hosting yourself. Regardless of whether DNS hosting is provided by your registrar, by another company or by yourself, DNSSEC support is required. Many DNS hosting providers are automating DNSSEC services so that all of the key generation and signing is handled automatically on your behalf.

See the “More Information” section later on this page for a further description of how this works.

The following links provide tutorials on how to sign your domain name with DNSSEC using the listed registrars and DNS hosting providers.

The Internet Society Deploy360 Programme does not recommend or endorse any particular domain registrars. The information provided here is to assist users to understand how to sign their domains with DNSSEC. WE ARE SEEKING TO ADD TUTORIALS HERE FOR ALL REGISTRARS THAT CURRENTLY SUPPORT DNSSEC. If you know of an additional registrar we should include, please contact us.

Registrars Supporting DNSSEC For Registration and Hosting

There are a great number of registrars that now support DNSSEC for either domain registration or DNS hosting.  Please visit:

To help people understand the process, we wrote a couple of tutorials for these registrars who support DNSSEC for both domain registration and DNS hosting.

Registrars Supporting DNSSEC Only for Domain Registration

These registrars provide a process for adding Delegation Signer (DS) records for your domain but do not provide DNSSEC-signing of hosted domains (or do not offer DNS hosting). We’ve written a step-by-step example of how DNSSEC can work in this situation.

Beyond this list, the Internet Corporation for Assigned Names and Numbers (ICANN) maintains a list of registrars supporting the use of DS records. The Public Interest Registry (PIR), the registry for .org, also maintains a list of registrars supporting DNSSEC (look for a “Yes” in the final column). We will be looking to add tutorials about many of these registrars as we learn about their web interfaces.

More Information

There are two elements to “signing” your domain:

  1. Your domain records must be signed by keys created for your domain.
  2. Information about your keys must be recorded in a Delegation Signer (DS) record stored in the parent domain or TLD.

This “DS record” at the parent name server is what binds your signed domain into the larger “chain of trust”.

In order for this to work, your domain name registrar must support DNSSEC and be able to provide the relevant information to the parent nameservers for a domain that create this DS record.  Note that a domain name registrar does not have to host your domain records and some registrars do differentiate between providing “registration” or “parking” services and providing “DNS hosting” services.

If you register your domain with one registrar and host your DNS records with another registrar/DNS hosting provider (or host the DNS records on your own nameservers), then the relationship is this:

  • Your domain registrar:
    • Maintains a DS record containing information about the key used to sign your domain
    • Contains the NS (name server) records pointing to the name servers hosting your domain
    • Provides the relevant information to the parent domain or TLD for a DS record to be created at that higher level
  • Your DNS hosting provider (or your name servers if you are hosting the domain yourself):
    • Signs the domain records with the appropriate keys
    • Provides the relevant information to your registrar for the creation of the required DS record

If you want to see this relationship in action, please see our step-by-step example of using DNSSEC with a different registrar and DNS hosting provider for more information.

January 14th, 2012 by | Posted in DNSSEC, Tutorials | Tags: | 14 Comments

14 Responses to How To Secure And Sign Your Domain With DNSSEC Using Domain Registrars

  1. […] we were putting together our list of DNS registrars and hosting providers supporting DNSSEC, we thought we should provide a step-by-step example of how you could do exactly this – use […]

  2. […] Friday we learned that is joining the ranks of domain name registrars supporting DNSSEC. In a blog post on their “Gandi Bar” site, “Thomas” outlines the level of […]

  3. […] but that to me is actually good news because there are no .AT registrars listed on either our Deploy360 list of DNSSEC registrars nor on ICANN’s list – so obviously it sounds like there are a few more registrars we […]

  4. […] P.S. If you want more information about how to sign your own domain using DNSSEC, check out our instructions for several registrars. […]

  5. […] out the other pages in a similar style for other audiences. If you have a domain name registered, look at our page about how to sign your domain with DNSSEC using various domain name […]

  6. […] should now be able to pass the required DS record up to the TLD registry. (See our page about registrars and DNSSEC for more information about this process with some registrars.)  If your registrar does not yet […]

  7. […] ICANN has maintained a list of registrars supporting DNSSEC and we’ve posted some tutorials about registrars and DNSSEC. A number of us have also been promoting DNSSEC to registrars at ICANN events through the DNSSEC […]

  8. […] or feature request asking them when they will support DNSSEC.  We have some information about some of the registrars that support DNSSEC and ICANN has a longer list of registrars that support DNSSEC, but there are many more registrars […]

  9. […] the integrity of the information you get out of DNS queries.   In his paragraph, he talks about the signing of domain names with DNSSEC, but it is important to remember that this is only half the equation with DNSSEC. The other piece […]

  10. […] your domain with DNSSEC. Here are instructions for some registrars and DNS hosting operators – and ask your DNS hosting provider about how to get DNSSEC signing in their […]

  11. […] The reason, of course, is that Google’s Public DNS service performs DNSSEC validation by default on ALL DNS queries.  So, not only are all those Turkish citizens getting around the ban on Twitter, but they are also getting more security and ensuring that the responses they get back from DNS for a domain are indeed the correct information entered by the operator of that domain (for companies/organizations that have signed their domain). […]

  12. […] How To Secure And Sign Your Domain With DNSSEC Using Domain Registrars by the Internet Society (thanks to Nick for pointing it out) currently lists only two that support .com TLD on the list of “Registrars Supporting DNSSEC For Registration and Hosting” ie. Go Daddy (with an additional fee of $36/year) and Dyn (with an additional fee of $330/year). See How To Sign Your Domain With DNSSEC Using Dyn, Inc and How To Sign Your Domain With DNSSEC Using for details. […]

  13. […] the higher level of security possible with DNSSEC.    This is, of course, just the first step.  As we outline in our tutorial, the next steps are that registrars and DNS hosting providers for .AZ need to now support the […]

  14. […] latest country-code top-level domain (ccTLD) to sign their .MG domain with DNSSEC.  As we note in the steps for signing a domain, having a signed TLD is critical so that your domain can tie into the global “chain of […]

Leave a Reply

Your email address will not be published. Required fields are marked *