What is DNSSEC?
DNSSEC is a technology that digitally 'signs' data so a site is protected against attacks. It helps protect against forged DNS data. The goal is to provide assurance that the DNS records provided to the user are the same as the DNS records published on the DNS server.
How to configure DNSSEC
DNSSEC support must be enabled with your current DNS provider. At this time, Our default name servers do not support the creation of the appropriate resource records to create a proper DNSSEC chain. This means that the DS key will need to be generated separately so it can be applied to those domains using Enom's Nameservers.
If you are not using Enom's DNS servers with your domain name, and your DNS provider has enabled DNSSEC support, they will also provide you a corresponding Delegation Signer (DS) record that will need to be added to the appropriate registry's DNS zone.
If you do not have access to our Reseller API, please submit a Support Request with the DS record while logged into your account so that we may update this record on your behalf.
If you are an Enom.com Reseller, you may update,add or delete DS records by utilizing the following API calls:
Components of DNSSEC
There are 6 components to a DS key:
- Domain Name - The domain name of the DNSSEC
- TTL - The time to live
- Key Tag- A numerical value that is used to identify the DNSSEC record.
- Algorithm - The the algorithm used to generate the signature.
- 3 for DSA/SHA1
- 5 for RSA/SHA1
- 6 for DSA-NSEC3-SHA1
- 7 for RSASHA1-NSEC3-SHA1
- 8 for RSA/SHA-256
- 9 for RSA/SHA-512
- Digest Type - The algorithm type that was used to construct the digest.
- 1 for SHA-1
- 2 for SHA-256
- Digest - A string value generated by the algorithm.
The components are usually generated and submitted in the bind format, and appears as follows:
- example.com. IN DS 54321 8 1 1234567891012345678910