Knowledgebase: Domain Name System
Adding DS records into registrar for DNSSEC
Posted by Aidil A. on 22 April 2024 01:06 PM

Introduction

Following are the DS insertion steps into registrar ilovewww. Other domain registrars will be varied but the concept are still same.

ilovewww domain registrar do support ECDSA Curve P-256 with SHA-256 (Algorithm 13), one of several supported DNSSEC algorithms and digest SHA384 (digest type 4).

Before proceed enabling DNSSEC function, ensure DNSSEC is already enabled in the nameserver - the nameserver which handle DNS record for the said domain name.

You will need to prepare and standby these information:

  • Key tag
  • DNSKEY Algorithm
  • Digest Type
  • Key Digest

Throughout this tutorial, we will be using these DNSSEC values. Your key tag, DNSKEY algorithm, digest type and key digest will be varied. So change it to correct value accordingly.

  • Key tag: 5848
  • DNSKEY Algorithm: 13 (ECDSAP256SHA256)
  • Digest Type: 4 (SHA384)
  • Key Digest: 5d56d9724684666fa72a02b91c6fcbf858e090bb621d477beff5bcbe0498e1e0135ce0724519c87b42c5fc1e0bcd1ff8

 

Search the zone

After login into registrar, search the intended zone you want to enable DNSSEC function and look for DNSSEC menu option. If the registrar do support DNSSEC, there will be DNSSEC sub-menu somewhere.

 

 

Adding DS key record

Click on DNSSEC from the menu, you will be presented Manage DNSSEC dialog box.

 

 

Add DS key record and save it after that.

Key tag: 5848
DNSKEY Algorithm: 13 (ECDSAP256SHA256)
Digest Type: 4 (SHA384)
Key Digest: 5d56d9724684666fa72a02b91c6fcbf858e090bb621d477beff5bcbe0498e1e0135ce0724519c87b42c5fc1e0bcd1ff8

 

Key Tag

Enter 5848 value into Key Tag box.

NOTE: Change to your domain own key tag value.

 

Algorithm

From drop-down list, select ECDSA Curve P-256 with SHA-256 (13),

 

Digest Type

From drop-down list, select SHA-384 (4),

 

Digest

Enter 5d56d9724684666fa72a02b91c6fcbf858e090bb621d477beff5bcbe0498e1e0135ce0724519c87b42c5fc1e0bcd1ff8 value into Digest box.

NOTE: Change to your domain own digest value.

 

 

Save

Click Save.

 

 

Final output will be similar as this. You may close the dialog box by click on the X symbol on top right-hand corner.

 

Testing & Verification

Once you’ve added the DS records successfully, it’s time to test. Many recursive resolvers don’t enforce DNSSEC validation, but it will be becoming more common in the future. So if you’ve made a typo when adding the DS records for instance, your zone may not resolve for some users. There are a couple very useful sites that help with testing:

http://dnssec-debugger.verisignlabs.com - preferable

http://dnsviz.net

You’ll want to enter the name of your zone into each of those sites and ensure that they verify successfully with no issues.

 If your test and verification has reached here with no errors, meaning your DNSSEC setup has completed and successful.

 

Common Errors

 

There may be several reasons causing this error:

  • The zone do not have signed with DNSSEC yet at nameserver
  • The registrar do not have the DS key records
  • DS key records added but may be have entered incorrect key
  • DS key records added but may be have a typo mistake

 

Disabling DNSSEC

To disable DNSSEC function, either perform one of these steps:

  • Unsign the zone at nameserver
  • Delete the DS key from domain registrar

It is not necessarily to do both. But if you want to completely clean-up your domain's DS records from these 2 locations so that there's no left-over, you may do so.

 

 

==========================================================================================

If you face any difficulties on the setup, please feel free to contact our support team by submitting a ticket on https://247livesupport.biz or emailing out support team at support@247livesupport.biz.

(0 vote(s))
Helpful
Not helpful

Comments (0)
Copyright © 1998 - 2021 Shinjiru International Inc. All Rights Reserved.
ERROR: This domain name (hostingmalaysia.com), does not match the domain name in the license key file 247livesupport.biz.

For assistance with your license, please contact the Kayako support team: https://support.kayako.com