Dyn, Inc. provides a simple web interface to enable DNSSEC with the purchase of their DynECT Managed DNS Lite service (or higher levels of service). It is worth noting that Dyn’s primary business is DNS hosting and so while they will certainly register a domain for you the focus of their site and services is all around managing DNS for your domains. In fact, as you will see below, they do treat their Dyn.com registrar business as completely separate from their DynECT Managed DNS business.
The DynECT Managed DNS Lite service currently (January 2012) starts at $30/month or $330/year for DNS hosting of up to 10 domains and goes up in price from there. There is no additional cost for DNSSEC as that is simply one of the included services.
Dyn, Inc., also provides full IPv6 support for domains with both IPv6-enabled name servers and web-based support for adding IPv6 records to domains.
The Internet Society Deploy360 Programme does not recommend or endorse any particular domain registrars. The information provided here is to assist users of this registrar to understand how to sign their domains with DNSSEC and is part of a larger program of gathering this DNSSEC configuration information across all domain registrars known to support DNSSEC. If you know of an additional registrar we should include, please contact us.
Configuring DNSSEC For A Domain At Dyn
The first step in using Dyn’s DynECT Managed DNS service is to set up a domain for DNS hosting – either one you registered with Dyn or one you registered elsewhere and are using Dyn for the DNS hosting. Once you add the domain to Dyn’s system as a “new Zone”, you’ll see a dashboard screen showing the zones you are managing:
Clicking on the “Manage” link will bring you to an overview of your managed DNS zone, after which you can click on “Zone Options” and then the “DNSSEC” tab to get to the DNSSEC settings:
Simply change any options, select notification settings and then press the “Add DNSSEC” button.
That’s it. Your domain now is DNSSEC signed.
If you go back to the Overview page for your domain, you’ll now see that you have a key icon in the “Status” line for your domain:
Now, there is one further step if you are also using Dyn as your registrar. You need to add a Delegation Signer (DS) record to your domain registration. As mentioned at the beginning, Dyn treats the registrar and DNS hosting services as two separate businesses and so they do have two separate web interfaces.
First, in the DynECT management console, click on “Zone Options” and then the “DNSSEC” tab. Find the section labeled “Delegation Signer Records”:
Over in another browser window, login to the Dyn domain registration console. After you click on the “Domain Registration” link, you will see information about your domain and at the bottom a place to add DS records:
After clicking “Create New DS Record”, you’ll get a window where you can enter the relevant information for the DS record:
After you have entered and saved the information, you will see a DS record at the bottom of your domain registration.
The disconnect between the Dyn.com registrar service and the DynECT Managed DNS service shows up here in the web user interface. The DynECT web interface lists the “Algorithm” and “Digest Type” as numbers, while the Dyn.com registrar service only lists names for the algorithm and digest type. A suggestion was sent to Dyn that they should make this easier. In the meantime, here is a quick conversion table:
Algorithm:
3 – DSA/SHA1
5 – RSA/SHA1
6 – DSA-NSEC3-SHA1
7 – RSASHA1-NSEC3-SHA1
8 – RSA/SHA-256
9 – RSA/SHA-512Digest Type:
1 – SHA-1
2 – SHA-256
You can then go to one of the DNSSEC test sites to verify that the domain is correctly set up. For example, here are the test results for the domain “dnssec-test-gd.net” hosted at Dyn:
- dnssec-test-dyn.com at Verisign Labs DNSSEC Analyzer
- dnssec-test-dyn.com at Sandia National Laboratories DNSviz
(Note that it may take some period of time for Dyn to send the DS records for your domain to the TLD registry, so you may see that gap in the chain if you test your domain immediately after seeing it.)
Dyn will now handle all further signing of the zones and also key rollover, notifying you via email when such events occur.
Managing DNSSEC with DynECT Managed DNS Lite
After your domain is signed, the DynECT service provides a very useful interface for managing your DNSSEC keys. If you return to the DNSSC tab under “Zone Options”, you will now see the list of available keys, DS records and other information:
From this screen, you can now add additional keys, trigger the rollover of keys (if you don’t want to wait for the automatic rollover) and download the relevant DS or DNSKEY records to provide to another service.
Configuring DNSSEC For A Domain With DNS Registered Elsewhere
If you are using Dyn, Inc., for DNS hosting for a domain registered at another registrar, the DynECT management console makes it extremely easy to obtain the DS records you need to provide to the other registrar. In the management console, click on “Zone Options” and then the “DNSSEC” tab. Find the section labeled “Delegation Signer Records”:
If you just need the DS record digest to enter into the web interface for another registrar, you can copy/paste the digest directly from this window.
If you need a complete DNS zone file record you can click on “Download .txt format” which will give you a text file with the complete DS record as you would need to type it in a DNS zone file.
More Information
Dyn, Inc., was one of the early supporters of DNSSEC in the registrar/hosting community and as a result has posted a good number of news items and blog posts related to DNSSEC: