Keeping your domain names secure is an important priority for anyone who owns one. On #GandiV5, you can activate the DNSSEC security protocol on your domain names automatically!

What is DNSSEC?

DNSSEC is a protocol that allows you to sign responses to DNS queries in order to ensure the integrity of DNS records and combat certain threats such as DNS hijacking.

In DNS as it was created there was no way to know whether the DNS responses you got were actually from the source they purported to be from. As the internet grew, people started to realize that this was an important oversight, and so people started proposing “extensions” to DNS, specifically a set of “DNS SECurity extensions” or DNSSEC.

It took some experimentation to get it right, but DNSSEC as it exists today consists of signing DNS records using public key cryptography. Domain owners generate their own key-pairs, and then send the public key to their domain registrar (usually by uploading them). The registrar then sends the keys to the registry, who then signs the keys and publishes them. It’s similar to the way SSL certificates are generated by website admins, then sent to and signed by a certifying authority (CA).

When a DNS zone is signed using DNSSEC, every time a DNS record in that zone is looked up, it can be verified whether the record received actually came from where it was supposed to have come from.

That means that any man-in-the-middle, cache poisoning, and even compromise of your DNS servers can all be detected when DNSSEC is used on the zone.

For example, without DNSSEC, attackers who have hijacked a domain’s DNS could create a real SSL certificate that looks just as valid to a browser as any other valid certificate leaving users with zero warning whatsoever that the page was fraudulent. With DNSSEC, that wouldn’t be possible.

Above all, DNSSEC enables you to be able to trust that the answers you get back from a DNS server are correct.

With DNSSEC, you can create a “chain of trust” all the way up to the root DNS, thereby providing authentication of DNS responses and protecting your services from forged and manipulated DNS responses. We’ve automated most of the process of setting up DNSSEC so that you can benefit from this added protection without having to go through an overly complex setup.

You can:

  1. Sign your LiveDNS zones
  2. Automatically publish keys to the registry, if you use our services
  3. Automate key rollover (when you change your key) if you use a third-party DNS service by way of the “Third Party DNS operator to Registrars/Registries Protocol.”

How to activate DNSSEC

On our platform, if you use our LiveDNS name servers, you can activate DNSSEC in just one click on supported TLDs. All you need to do is go to your Control panel, click the domain name you want to activate DNSSEC on, go to the Nameservers or DNSSEC tab and enable DNSSEC.

Of course, if you have any questions, feel free to contact our Customer Care team for help.