Understanding and managing DNSSEC
What is DNSSEC?
DNSSEC stands for Domain Name System Security Extensions.
DNSSEC helps protect against forged DNS data. The goal is to provide assurance that the DNS records provided to the user are the same as the DNS records published on the DNS server.
It’s been demonstrated that DNS records can be forged or modified by hackers or other third-parties. With DNSSEC in place, modification of DNS records is much more difficult.
How does DNSSEC work?
DNSSEC is a way to sign the records for DNS lookup using public-key cryptography. The correct DNSKEY record set is authenticated via a chain of trust, starting with a set of verified public keys for the DNS root zone.
By checking the digital signature, a DNS resolver is able to check if the information is identical (i.e. unmodified and complete) to the information published by the zone owner and served on an authoritative DNS server.
DNSSEC can protect any data published in the DNS, including text records (TXT), mail exchange records (MX), A-Records, CNAMES, etc.
Adding DNSSEC for your domain
Please note: Hover does not offer hosted DNSSEC DNS services using ns1/2/3.hover.com. If you require DNSSEC, you’ll need to use a third-party DNS provider that offers DNS that supports DNSSEC fully.
Hover, as a domain name registrar, does enable you to configure your domain (depending on the extension) to work with DNS providers that offer DNSSEC.
To configure DNSSEC on your domain at Hover, you’ll need to get the Delegation Signer Records (DS) for your domain from your DNS provider.
The four items you will need to acquire from your DNS provider are:
Key Tag: An integer value that is used to identify the DNSSEC record.
Algorithm Type: From the drop-down list, choose the algorithm used to generate the signature.
Digest Type: From the drop-down list, choose the algorithm type that was used to construct the digest.
Digest: A string value generated by the algorithm.
Adding the DNSSEC record in your Hover account
Once you have this information from your DNS provider, visit the Advanced page for the domain that you wish to add DNSSEC information to. If DNSSEC is supported for that TLD, you’ll see a button Add A DNSSEC Record.
Add the required information. Then, click Add Record.
Editing/removing DNSSEC records
To edit a DNSSEC record, go to the Advanced page.
To Edit a DNSSEC record, click Edit, and make the necessary changes.
To remove a DNSSEC record, click Edit, click Clear Fields, and click Save.
Still need some help? Submit a Request.