What is DNSSEC?


DNSSEC protocols are designed to add security to your DNS to protect it from certain attacks, such as a data modification attack (e.g. cache poisoning).
DNSSEC is a set of extensions to the DNS, which provides origin authentication of DNS data, data integrity and authenticated denial of existence using DS records.
Internet.bs does not currently offer DNSSEC for domains using its free DNS, you can however manage DS records for domains in which you are using external DNS. To enter DS/DNSKEY records please use the format described in RFC 4034:

DS Example:
domain.com. 86400 IN DS 60485 5 1 ( 2BB183AF5F22588179A53B0A98631FAD1A292118 )
        1.      Domain Name
        2.      Time to live
        3.      Class name - should be IN
        4.      DNS record type - DS
        5.      Key Tag - An integer value less than 65536 that identifies the DNSSEC record for this domain name.
        6.      Algorithm - The cryptographic algorithm that generates the signature.
        7.      Digest Type - The algorithm type that constructs the digest.
        8.      Digest - The digest is an alpha-numeric value.

DNSKEY Example:
domain.com. 86400 IN DNSKEY 256 3 5 ( AQOeiiR0GOMYkDshWoSKz9Xz......vnOf+EPbtG9DMBmADjFDFw== ); key id = 60485
        1.      Domain Name
        2.      Time to live
        3.      Class name - should be IN
        4.      DNS record type - DNSKEY
        5.      Flag - This identifies the key type: a Zone-Signing Key (256) or a Key-Signing Key (257).
        6.      Protocol
        7.      Algorithm - The cryptographic algorithm that generates the signature.
        8.      Public Key - Registries use this value to encrypt DS records. Decryption requires a matching private key. At the end of public key value you can also specify key tag (key id = XXXX). An integer value less than 65536 that identifies the DNSSEC record for this domain name.

Tags: DNSSEC