On Gandi v5, you can now automatically activate DNSSEC on domains names.
DNSSEC is a protocol that allows you to sign responses to DNS queries in order to ensure the integrity of DNS records and combat certain threats such as DNS cache poisoning.
This option was already available at Gandi when using third-party DNS name servers, but those wishing to activate it were still nonetheless required to generate and renew their own keys.
On our new platform, if you use our new name servers, LiveDNS, you may now activate DNSSEC in just one click on supported TLDs. All you need to do is go to your Control panel, click the domain name you want to activate DNSSEC on, go to the Nameservers or DNSSEC tab and enable DNSSEC.
If you haven’t migrated your account to Gandi v5 yet, here’s another reason to do so.
Of course, if you have any questions, feel free to contact our Customer Care team for help.
Tagged in DNSGandiV5Security
Thanks for making DNSSEC accessible for all. So simple with the new one press and helps create a more secure internet.
Thanks Tom! Feel free to let us know if you find unexpected behavior or if you have questions.
>All you need to do is go to your Control panel, click the domain name you want to activate DNSSEC on, go to the DNS records tab and turn on DNSSEC from that page.
This is not what I see though? I migrated to v5 quite some time ago, and rather then under DNS Records there is a separate tab specifically for DNSSEC. It also still has the big serious warning “you could easily make your domain name inoperative”. I don’t know if that language is just out of date or is meant to be referring to the well known issues that can arise if someone is managing their own keys with external name servers and botches a key rollover, or if there is some big gotcha that still exists using Gandi LiveDNS. If the former you might want to consider updating it or making it conditional on nameserver setup. If the latter please elaborate on what the failure modes are.
Thank you for your efforts here though either way!
Hi Lee,
There has been a mistake on the news post on the page name to activate/deactivate DNSSEC from our website. We’ll fix it asap.
There is no specific issue related to Gandi LiveDNS regarding DNSSEC compare to external name servers.
Thank you very much for your feedback,
Justine.
i guess there is still some tld not supporting this feature, cause when i click the button, it just appear to be a dead button, and noting happens.
Hi J,
If the tld does not support DNSSEC the DNSSEC page is not displayed and a specific message is displayed in the Nameservers’ page.
Could you contact the customer care team ( https://help.gandi.net/ )to help us investigate your problem, please?
Thanks in advance,
Justine.
Excellent! So far, it’s worked well. Thanks!
The only improvement I’d like to see is some way of enabling DNSSEC on multiple domains simultaneously. For example, being able to select multiple domains in one’s account and click an “Enable DNSSEC” button that would enable it on all of them.
Having to do it one domain at a time is a bit tedious.
Hi Pete,
We are working on bulk actions from the domains list. DNSSEC activation for a batch of domains is planned. It will also be possible to activate DNSSEC to any new domain being created.
Thanks for your feedback,
Justine.
Is there a list of supported TLD’s where the “one click” functionality is available?
I’m not yet a customer, but this would be a serious draw. DNSSEC should be ubiquitous by now and this is a great step towards making this happen.
Thanks.
Yes, you have a list in our documentation https://doc.gandi.net/en/domains/dnssec#who_can_use_dnssec
Comments are closed.