Knowledgebase: Domain Name System
Adding DNSSEC with PowerAdmin
Posted by Aidil A. on 01 August 2023 02:52 PM

Introduction

The Domain Name System Security Extensions (DNSSEC) are a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol provides cryptographic authentication of data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

DNSSEC works by digitally signing records for DNS lookup using public-key cryptography between nameservers, domain registrar and the zone operator (domain registry). However, adding DS keys involved between the nameserver and domain registrar only. The correct DNSKEY record is authenticated via a chain of trust, starting with a set of verified public keys for the DNS root zone which is the trusted third party. Domain owners generate their own keys, and upload them using their DNS control panel at their domain-name registrar, which in turn pushes the keys via secDNS to the zone operator (e.g., Verisign for .com) who signs and publishes them in DNS.

Notes before proceed further!!!

Our DNS servers uses algorithm 13 aka ECDSAP256SHA256, Elliptic Curve Digital Signing Algorithm (ECDSA). IETF (Internet Engineering Task Force) is highly recommend to use this algorithm. For further information regarding DNSSEC usage, do refer following article:

Algorithm Implementation Requirements and Usage Guidance for DNSSEC

Unfortunately, not all domain registrar support this algorithm. If turned out your domain registrar really does not support this type of algorithm, you will have 2 options:

1- change domain registrar - transfer your domain to another domain registrar that support algorithm 13 or ECDSAP256SHA256. Or;

2- lower the algorithm at DNS server only if the DNS server has the option.

 

Login into PowerAdmin portal

Login into PowerAdmin DNS portal.

Look for the zone you intend to enable DNSSEC.

 

Sign the zone

Click Sign this zone if DNSSEC for the target zone not yet enable.

 

Once signed, following option buttons will be available.

DNSSEC = click this button to view DS keys

Unsign this zone = click this button if intend to disable DNSSEC signing

 

Clicking on DNSSEC button, will present you algorithm format being used for the DS keys.

There's no need to add another key if there's already exist one.

Click on Show DS and DNSKEY button to view all DS keys.

 

Identify DS keys

You maybe presented with several DS keys. However, only 1 DS key is needed and the most recommended.

Under DS record section, the DS keys meaning as follows:

1st DS record:

Record Type: DS
Key tag: 43643
Algorithm = 13 (ECDSA Curve P-256 with SHA-256)
Digest Type = 2 (SHA256)
Key Digest = e11fe45045e1bd60698d4ac24a83a937ce9d828d82ba5bf302316eb9ae595d18

2nd DS record:

Record Type: DS
Key tag: 43643
Algorithm = 13 (ECDSA Curve P-256 with SHA-256)
Digest Type = 4 (SHA-384)
Key Digest = 5bb6f6d1e55033b14adc9076fc1bd0f82f95da5212bebe060c703c663cecb354ad118443a8af26ef2bf551692cfba3c1

In this example, you are require to use these information and input it into domain registrar of the said domain name. In domain registrar, you need to input 1 DS record only. It's either 1st DS record or 2nd DS record. Digest type 4 (SHA-384) is the most recommended to use.

 

Domain Registrar

With this DS record, login into domain registrar portal and input these keys.

Refer following KB on how to add DS keys into domain registrar ilovewww.

Adding DS records into registrar for DNSSEC

If you don't have the access or login credentials, do request assistance from their support then.

 

Verify DNSSEC for the domain

You may need to wait for the new records to propagate as this also involve in DNS propagation.

On mean time, you may use online DNSSEC checker such as DNSSEC Analyzer by VeriSign.

 

Enter the target domain name into Domain Name box and simply press Enter.

 

If the keys correctly entered and DNS propagation reached, you will getting all green checkmarks.

This means, DNSSEC protection for the domain name is good to go.

Your task is completed at this point.

 

Possible Errors#1

If getting errors similar as following:

This simply means that at domain registrar side, there are no DS record. Hence, no DNSKEY found.

At nameserver side, DS key (denote by No RRSIGs found) is not exist. Its either DNSSEC option is not enable or the DS key being deleted.

 

Solution

Enable DNSSEC option for the domain at nameserver side, get the DS key and input it in the domain registrar side.

 

Possible Error #2

Another common error:

This tells that at domain registrar side, there are no DS record being set aka not exist.

Though at nameserver side, the DNSSEC option is already activated for the said domain name (denote by Found 1 RRSIGs over A RRset)

 

Solution

Get the DS key from the domain's nameserver and enter it at domain registrar side.

 

Alternative method verifying DNSSEC for a domain name

Quickest way to verify the website you've visited protected by DNSSEC is to use browser's plugin DNSSEC checker.

 

Browser Chrome

Download and install DNSSEC Checker from Chrome web store.

 

Pin the plugin at the URL taskbar. If the site or domain has DNSSEC enabled, this plugin will be highlighted.

 

If the site or domain are not protected by DNSSEC, the plugin will remain grayed.

 

Browser Firefox

For Firefox, use plugin DNSSEC from Antoine Popineau.

 

The plugin will dock at the URL bar. Any visited website or domain, the plugin will notify by its color.

If glow in green, meaning the website is protected by DNSSEC.

 

Click on the DNSSEC icon, will tells you more information.

 

If the site is not protected by DNSSEC, the icon will remain red in color.

 

==========================================================================================

If you face any difficulties on the setup, please feel free to contact our support team by submitting a ticket on https://247livesupport.biz or emailing out support team at support@247livesupport.biz.

 

(0 vote(s))
Helpful
Not helpful

Comments (0)
Copyright © 1998 - 2021 Shinjiru International Inc. All Rights Reserved.
ERROR: This domain name (hostingmalaysia.com), does not match the domain name in the license key file 247livesupport.biz.

For assistance with your license, please contact the Kayako support team: https://support.kayako.com