Adding DS records into registrar for DNSSEC
Posted by Aidil A. on 22 April 2024 01:06 PM
|
|
IntroductionFollowing are the DS insertion steps into registrar ilovewww. Other domain registrars will be varied but the concept are still same. ilovewww domain registrar do support ECDSA Curve P-256 with SHA-256 (Algorithm 13), one of several supported DNSSEC algorithms and digest SHA384 (digest type 4). Before proceed enabling DNSSEC function, ensure DNSSEC is already enabled in the nameserver - the nameserver which handle DNS record for the said domain name. You will need to prepare and standby these information:
Throughout this tutorial, we will be using these DNSSEC values. Your key tag, DNSKEY algorithm, digest type and key digest will be varied. So change it to correct value accordingly.
Search the zoneAfter login into registrar, search the intended zone you want to enable DNSSEC function and look for DNSSEC menu option. If the registrar do support DNSSEC, there will be DNSSEC sub-menu somewhere.
Adding DS key recordClick on DNSSEC from the menu, you will be presented Manage DNSSEC dialog box.
Add DS key record and save it after that. Key tag: 5848
Key TagEnter 5848 value into Key Tag box. NOTE: Change to your domain own key tag value.
AlgorithmFrom drop-down list, select ECDSA Curve P-256 with SHA-256 (13),
Digest TypeFrom drop-down list, select SHA-384 (4),
DigestEnter 5d56d9724684666fa72a02b91c6fcbf858e090bb621d477beff5bcbe0498e1e0135ce0724519c87b42c5fc1e0bcd1ff8 value into Digest box. NOTE: Change to your domain own digest value.
SaveClick Save.
Final output will be similar as this. You may close the dialog box by click on the X symbol on top right-hand corner.
Testing & VerificationOnce you’ve added the DS records successfully, it’s time to test. Many recursive resolvers don’t enforce DNSSEC validation, but it will be becoming more common in the future. So if you’ve made a typo when adding the DS records for instance, your zone may not resolve for some users. There are a couple very useful sites that help with testing: http://dnssec-debugger.verisignlabs.com - preferable You’ll want to enter the name of your zone into each of those sites and ensure that they verify successfully with no issues.
If your test and verification has reached here with no errors, meaning your DNSSEC setup has completed and successful.
Common Errors
There may be several reasons causing this error:
Disabling DNSSECTo disable DNSSEC function, either perform one of these steps:
It is not necessarily to do both. But if you want to completely clean-up your domain's DS records from these 2 locations so that there's no left-over, you may do so.
========================================================================================== If you face any difficulties on the setup, please feel free to contact our support team by submitting a ticket on https://247livesupport.biz or emailing out support team at support@247livesupport.biz. | |
|