How do I set up DNSSEC?
Back to portal
DNSSEC (or spelled full: Domain Name System Security Extensions) is an additional security feature to protect your DNS records, hence the word DNSsec (security).
For DNSSEC to work properly, it is important that your Internet service provider has enabled DNSSEC security. If your ISP does not have DNSSEC security enabled, no check is made for the correctness of DNSSEC and the DNS records can be retrieved without problems.
If your ISP does have DNSSEC and the DNSSEC records are added correctly, the DNS records will respond. If your ISP does have DNSSEC but the DNSSEC is not applied correctly, the DNS will not respond.
DNSSEC can be added through the my.oxxa.com environment.
When you go to "Domains" and click on the gear icon, there is often an option to add DNSSEC. However, the DNSSEC field is only visible when using nameservers.
When using managed DNS, DNSSEC is added automatically and cannot be removed.
DNSSEC keys are generated and managed on the domain name servers. These keys can be obtained from the provider that manages the name servers.
Four fields must be completed when setting up DNSSEC:
Flag: This is 256 or 257, with 257 being the most common. Flag 256 stands for Zone Signing Key (ZSK) and 257 stands for Key Signing Key (KSK). For functionality, only flag 257 is usually required.
Protocol: This is always 3 and represents DNSSEC.
Algorithm: This depends on the method used to create the DNSSEC key. For .nl this is often algorithm 8 (RSA/SHA-256), but this can vary depending on the TLD.
Key: This is the public key used for signing DNSSEC records.
What values are supported by algorithm can be found at the extension information my.oxxa.com/extension. Click on the eye icon behind the TLD and look at DNSSEC algorithms. You can also see here whether the TLD in question supports DNSSEC. Although most TLDs support DNSSEC, there may be a few TLDs among them that do not yet support it.
Please contact us to see if we can activate DNSSEC on the relevant TLD by emailing support@oxxa.com. Back to portal
For DNSSEC to work properly, it is important that your Internet service provider has enabled DNSSEC security. If your ISP does not have DNSSEC security enabled, no check is made for the correctness of DNSSEC and the DNS records can be retrieved without problems.
If your ISP does have DNSSEC and the DNSSEC records are added correctly, the DNS records will respond. If your ISP does have DNSSEC but the DNSSEC is not applied correctly, the DNS will not respond.
DNSSEC can be added through the my.oxxa.com environment.
When you go to "Domains" and click on the gear icon, there is often an option to add DNSSEC. However, the DNSSEC field is only visible when using nameservers.
When using managed DNS, DNSSEC is added automatically and cannot be removed.
DNSSEC keys are generated and managed on the domain name servers. These keys can be obtained from the provider that manages the name servers.
Four fields must be completed when setting up DNSSEC:
Flag: This is 256 or 257, with 257 being the most common. Flag 256 stands for Zone Signing Key (ZSK) and 257 stands for Key Signing Key (KSK). For functionality, only flag 257 is usually required.
Protocol: This is always 3 and represents DNSSEC.
Algorithm: This depends on the method used to create the DNSSEC key. For .nl this is often algorithm 8 (RSA/SHA-256), but this can vary depending on the TLD.
Key: This is the public key used for signing DNSSEC records.
What values are supported by algorithm can be found at the extension information my.oxxa.com/extension. Click on the eye icon behind the TLD and look at DNSSEC algorithms. You can also see here whether the TLD in question supports DNSSEC. Although most TLDs support DNSSEC, there may be a few TLDs among them that do not yet support it.
Please contact us to see if we can activate DNSSEC on the relevant TLD by emailing support@oxxa.com. Back to portal
