How To Secure And Sign Your Domain With DNSSEC Using Domain Registrars
With DNSSEC, your domain name registrar plays a critical role in linking your signed domain to the higher-level name servers to form a “chain of trust“. This trust relationship begins at the “root” of the DNS system, then goes to the top-level domains (TLDs) and then to second level domain names (“example.com”) and on from there.
To sign your domain with DNSSEC and have it participate in the global chain of trust, you need three conditions to be true:
1. YOUR TOP-LEVEL DOMAIN (TLD) MUST BE SIGNED – The major TLDs such as .com, .org, .net have all been signed as have a good number of “country code TLDs” (ccTLDs), but many ccTLDs still need to be signed. View the full list of signed TLDs to confirm that your TLD has been signed.
2. YOUR DOMAIN REGISTRAR MUST SUPPORT DNSSEC – The registrar where you registered your domain must support DNSSEC. Specifically, they need to be able to accept and sign Delegation Signer (DS) records that contain the necessary information about the keys used to sign your DNS zone. They also need to be able to provide these DS records to the parent domain (which is typically a TLD).
Check the list of registrars known to support DNSSEC maintained by ICANN. If your registrar is listed, you may simply need to check their documentation to learn more about their DNSSEC support (see our tutorials below for some registrars). If your registrar is not listed, you may want to contact them to find out if they already support DNSSEC or if not, when they will be doing so.
3. YOUR DNS HOSTING PROVIDER MUST SUPPORT DNSSEC – Very often a “registrar” may also provide “DNS Hosting” services where they will host your DNS records, allow you to manage those records, publish them to the global DNS, etc. However, you may use a different provider for the actual hosting of your DNS records. (see an example) You may also choose to operate your own nameservers and directly manage the DNS hosting yourself. Regardless of whether DNS hosting is provided by your registrar, by another company or by yourself, DNSSEC support is required. Many DNS hosting providers are automating DNSSEC services so that all of the key generation and signing is handled automatically on your behalf.
See the “More Information” section later on this page for a further description of how this works.
The following links provide tutorials on how to sign your domain name with DNSSEC using the listed registrars and DNS hosting providers.
The Internet Society Deploy360 Programme does not recommend or endorse any particular domain registrars. The information provided here is to assist users to understand how to sign their domains with DNSSEC. WE ARE SEEKING TO ADD TUTORIALS HERE FOR ALL REGISTRARS THAT CURRENTLY SUPPORT DNSSEC. If you know of an additional registrar we should include, please contact us.
Registrars Supporting DNSSEC For Registration and Hosting
There are a great number of registrars that now support DNSSEC for either domain registration or DNS hosting. Please visit:
To help people understand the process, we wrote a couple of tutorials for these registrars who support DNSSEC for both domain registration and DNS hosting.
- How to Sign Your Domain With DNSSEC Using Binero(for .SE and .EU)
- How to Sign Your Domain With DNSSEC Using Dyn, Inc.
- How to Sign Your Domain With DNSSEC Using GoDaddy.com
Registrars Supporting DNSSEC Only for Domain Registration
These registrars provide a process for adding Delegation Signer (DS) records for your domain but do not provide DNSSEC-signing of hosted domains (or do not offer DNS hosting). We’ve written a step-by-step example of how DNSSEC can work in this situation.
Beyond this list, the Internet Corporation for Assigned Names and Numbers (ICANN) maintains a list of registrars supporting the use of DS records. The Public Interest Registry (PIR), the registry for .org, also maintains a list of registrars supporting DNSSEC (look for a “Yes” in the final column). We will be looking to add tutorials about many of these registrars as we learn about their web interfaces.
There are two elements to “signing” your domain:
- Your domain records must be signed by keys created for your domain.
- Information about your keys must be recorded in a Delegation Signer (DS) record stored in the parent domain or TLD.
This “DS record” at the parent name server is what binds your signed domain into the larger “chain of trust”.
In order for this to work, your domain name registrar must support DNSSEC and be able to provide the relevant information to the parent nameservers for a domain that create this DS record. Note that a domain name registrar does not have to host your domain records and some registrars do differentiate between providing “registration” or “parking” services and providing “DNS hosting” services.
If you register your domain with one registrar and host your DNS records with another registrar/DNS hosting provider (or host the DNS records on your own nameservers), then the relationship is this:
- Your domain registrar:
- Maintains a DS record containing information about the key used to sign your domain
- Contains the NS (name server) records pointing to the name servers hosting your domain
- Provides the relevant information to the parent domain or TLD for a DS record to be created at that higher level
- Your DNS hosting provider (or your name servers if you are hosting the domain yourself):
- Signs the domain records with the appropriate keys
- Provides the relevant information to your registrar for the creation of the required DS record
If you want to see this relationship in action, please see our step-by-step example of using DNSSEC with a different registrar and DNS hosting provider for more information.