Deploy360 19 January 2012

How To Sign Your Domain With DNSSEC Using Dyn, Inc

Dyn, Inc. provides a simple web interface to enable DNSSEC with the purchase of their DynECT Managed DNS Lite service (or higher levels of service). It is worth noting that Dyn’s primary business is DNS hosting and so while they will certainly register a domain for you the focus of their site and services is all around managing DNS for your domains. In fact, as you will see below, they do treat their Dyn.com registrar business as completely separate from their DynECT Managed DNS business.

The DynECT Managed DNS Lite service currently (January 2012) starts at $30/month or $330/year for DNS hosting of up to 10 domains and goes up in price from there. There is no additional cost for DNSSEC as that is simply one of the included services.

Dyn, Inc., also provides full IPv6 support for domains with both IPv6-enabled name servers and web-based support for adding IPv6 records to domains.


The Internet Society Deploy360 Programme does not recommend or endorse any particular domain registrars. The information provided here is to assist users of this registrar to understand how to sign their domains with DNSSEC and is part of a larger program of gathering this DNSSEC configuration information across all domain registrars known to support DNSSEC. If you know of an additional registrar we should include, please contact us.


Configuring DNSSEC For A Domain At Dyn

The first step in using Dyn’s DynECT Managed DNS service is to set up a domain for DNS hosting – either one you registered with Dyn or one you registered elsewhere and are using Dyn for the DNS hosting. Once you add the domain to Dyn’s system as a “new Zone”, you’ll see a dashboard screen showing the zones you are managing:

Dynect overview

Clicking on the “Manage” link will bring you to an overview of your managed DNS zone, after which you can click on “Zone Options” and then the “DNSSEC” tab to get to the DNSSEC settings:

Dynect dnssectab

Simply change any options, select notification settings and then press the “Add DNSSEC” button.

That’s it. Your domain now is DNSSEC signed.

If you go back to the Overview page for your domain, you’ll now see that you have a key icon in the “Status” line for your domain:

Dynect dnssecactive

Now, there is one further step if you are also using Dyn as your registrar. You need to add a Delegation Signer (DS) record to your domain registration. As mentioned at the beginning, Dyn treats the registrar and DNS hosting services as two separate businesses and so they do have two separate web interfaces.

First, in the DynECT management console, click on “Zone Options” and then the “DNSSEC” tab. Find the section labeled “Delegation Signer Records”:

Dynect ds records

Over in another browser window, login to the Dyn domain registration console. After you click on the “Domain Registration” link, you will see information about your domain and at the bottom a place to add DS records:

After clicking “Create New DS Record”, you’ll get a window where you can enter the relevant information for the DS record:

After you have entered and saved the information, you will see a DS record at the bottom of your domain registration.

The disconnect between the Dyn.com registrar service and the DynECT Managed DNS service shows up here in the web user interface. The DynECT web interface lists the “Algorithm” and “Digest Type” as numbers, while the Dyn.com registrar service only lists names for the algorithm and digest type. A suggestion was sent to Dyn that they should make this easier. In the meantime, here is a quick conversion table:

Algorithm:
3 – DSA/SHA1
5 – RSA/SHA1
6 – DSA-NSEC3-SHA1
7 – RSASHA1-NSEC3-SHA1
8 – RSA/SHA-256
9 – RSA/SHA-512

Digest Type:
1 – SHA-1
2 – SHA-256

You can then go to one of the DNSSEC test sites to verify that the domain is correctly set up. For example, here are the test results for the domain “dnssec-test-gd.net” hosted at Dyn:

(Note that it may take some period of time for Dyn to send the DS records for your domain to the TLD registry, so you may see that gap in the chain if you test your domain immediately after seeing it.)

Dyn will now handle all further signing of the zones and also key rollover, notifying you via email when such events occur.

Managing DNSSEC with DynECT Managed DNS Lite

After your domain is signed, the DynECT service provides a very useful interface for managing your DNSSEC keys. If you return to the DNSSC tab under “Zone Options”, you will now see the list of available keys, DS records and other information:

Dynect dnssec keys

From this screen, you can now add additional keys, trigger the rollover of keys (if you don’t want to wait for the automatic rollover) and download the relevant DS or DNSKEY records to provide to another service.

Configuring DNSSEC For A Domain With DNS Registered Elsewhere

If you are using Dyn, Inc., for DNS hosting for a domain registered at another registrar, the DynECT management console makes it extremely easy to obtain the DS records you need to provide to the other registrar. In the management console, click on “Zone Options” and then the “DNSSEC” tab. Find the section labeled “Delegation Signer Records”:

Dynect ds records

If you just need the DS record digest to enter into the web interface for another registrar, you can copy/paste the digest directly from this window.

If you need a complete DNS zone file record you can click on “Download .txt format” which will give you a text file with the complete DS record as you would need to type it in a DNS zone file.

More Information

Dyn, Inc., was one of the early supporters of DNSSEC in the registrar/hosting community and as a result has posted a good number of news items and blog posts related to DNSSEC:

Related Resources

Deploy360 1 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

Almost every time we use an Internet application, it starts with a Domain Name System (DNS) transaction to map...

Deploy360 1 March 2019

IPv6 Security for IPv4 Engineers

This document provides an overview of IPv6 security that is specifically aimed at IPv4 engineers and operators. Rather than...

Deploy360 27 February 2019

Introduction to DNS Privacy

Abstract Almost every time we use an Internet application, it starts with a Domain Name System (DNS) transaction to...