Understanding and managing DNSSEC

What is DNSSEC?

DNSSEC stands for Domain Name System Security Extensions.

DNSSEC helps protect against forged DNS data. The goal is to provide assurance that the DNS records provided to the user are the same as the DNS records published on the DNS server.

It’s been demonstrated that DNS records can be forged or modified by hackers or other third-parties. With DNSSEC in place, modification of DNS records is much more difficult.

How does DNSSEC work?

DNSSEC is a way to sign the records for DNS lookup using public-key cryptography. The correct DNSKEY record set is authenticated via a chain of trust, starting with a set of verified public keys for the DNS root zone.

By checking the digital signature, a DNS resolver is able to check if the information is identical (i.e. unmodified and complete) to the information published by the zone owner and served on an authoritative DNS server.

DNSSEC can protect any data published in the DNS, including text records (TXT), mail exchange records (MX), A-Records, CNAMES, etc.


Adding DNSSEC for your domain

Please note: Hover does not offer hosted DNSSEC DNS services using ns1/2/3.hover.com. If you require DNSSEC, you’ll need to use a third-party DNS provider that offers DNS that supports DNSSEC fully.

Hover, as a domain name registrar, does enable you to configure your domain (depending on the extension) to work with DNS providers that offer DNSSEC.

To configure DNSSEC on your domain at Hover, you’ll need to get the Delegation Signer Records (DS) for your domain from your DNS provider.


Required information

The four items you will need to acquire from your DNS provider are:

Key Tag: An integer value that is used to identify the DNSSEC record.

Algorithm Type: From the drop-down list, choose the algorithm used to generate the signature.

Digest Type: From the drop-down list, choose the algorithm type that was used to construct the digest.

Digest: A string value generated by the algorithm.


Adding the DNSSEC record in your Hover account

Once you have this information from your DNS provider, visit the Advanced page for the domain that you wish to add DNSSEC information to. If DNSSEC is supported for that TLD, you’ll see a button Add A DNSSEC Record.

save image

Add the required information.  Then, click Add Record.

save image

Editing/removing DNSSEC records

To edit a DNSSEC record, go to the Advanced page.

save image

To Edit a DNSSEC record, click Edit, and make the necessary changes.

To remove a DNSSEC record, click Edit, click Clear Fields, and click Save.

Have more questions? Submit a request


  • 0
    Jichang Gao

     where to download the Domain name certificate?

  • 0
    Glen Peterson

    Let me get this straight: If we use a different DNS provider, we can enter their code in Hover?  But we Hover is our DNS provider!  Why would we need Hover if we had a different DNS provider?

    There is something here that I don't understand, or this is a "dummy" feature of the Hover UI?

  • 0
    Glen Peterson

    Sorry, that came out a little snarky and there is no way to edit it.  There is clearly a lot here that I don't understand, but the part about using another DNS provider to have Hover manage our DNSSec is the part I particularly don't understand.

  • 0
    Glen Peterson

    In case it's not clear, it's "Hover does not offer hosted DNSSEC DNS services using ns1/2/3.hover.com. If you require DNSSEC, you’ll need to use a third-party DNS provider that offers DNS that supports DNSSEC fully." that has me particularly confused and is relevant to our account.

  • 1
    Shawn Hughes

    I'm just an other customer who happened on your query, but I think I can help.  Using a web-site  [www.mydomain.com] as an example, there are 3 distinct services needed to facilitate connecting a visitor to your web page.

    1) Domain Name Registration:  maintenance of the records showing who owns MYDOMAIN.COM, along with records delegating your authoritative Name Servers.

    2) Name Servers:  authoritative name server translates www.mydomain.com to an IP Address.

    3) Web Host: provides web pages in response to visitor requests.

    Using Hover to register your domain name means Hover is providing 1 (domain name registration).

    Hover also offers to provide 2 (name servers), 3 (web hosting), 4 (email mailboxes), you may choose to host them all with Hover or host any or all of them elsewhere.

    DNSSEC:  Hover offers DNS, but not DNSSEC. If you want DNSSEC, you find a third party to provide it, in which case you would update your domain registration name server records delegating that third party as your authoritative name servers.

    DNSSEC provides assurance to visitors that DNS answers are from the authoritative name servers and unaltered.

    The Domain Registration Name Server IP address entries are not sufficient to accomplish this, hence the DNSSEC Key records which can offer cryptographic proof that a DNS answer is legitimate and authorized by the owner of the domain.


  • 0
    Terri-Leigh H.

    Hi Glen and Shawn

    Glad you both got it touch on this. And stellar info, Shawn!

    I just want to add - Hover provides access through your account to send updates for existing DNSSEC records to the registry. Some if you have nameservers where DNSSEC is offered, you can update the records within your Hover account.

    Oh - and with #3 we don't offer hosting :) But we can help you link your chosen hosting services to your domains!

  • 0
    Dario Fumagalli


    do you have a tutorial about how to implement a DNSSEC server compatible with Hover, for Ubuntu 14.04 or similar?


  • 0
    Matthew Hill

    I picked a domain for which Hover does not support DNSSEC. Two questions: Is this something important to have? Is it likely or not domains for which it's not supported will gain support in the future?

  • 0
    Dennis Harres

    Just realized, that DNSSEC is not enabled for .xyz domains, and I purchased one recently. 

    Are there plans to support it in the near future? See also: https://help.hover.com/hc/en-us/community/posts/115000161027--xyz-and-DNSSEC?flash_digest=29ab63ad141d57845713497474b6203202bdca35

    Thank you!

  • 0
    Lewis Butler

    Where does the digest come from? I have a Kdoamin.tlc.+007+17363.key and .private and a Kdomain.tld.+007+4361.key and .private. but none of these 4 files have anything that looks like a digest (which should be a Hex string, yes?).



  • 0
    Thomas Zickell

    The reason for other DNS providers is Anycast DNS this is something used in the primary enterprise as well as high-end very fast DNS companies like Dyn, NSone, UntraDNS, and even Cloudflare allow many extras you may not have thought about.

Please sign in to leave a comment.
Powered by Zendesk