What is DNSSEC?
Domain Name System Security Extensions or DNSSEC, is an important security protocol that sits on top of the existing domain name system and provides a critical level of assurance that traffic comes from where it says it does. DNSSEC protects against forged DNS answers. DNSSEC protected zones are cryptographically signed to ensure the DNS records received are identical to the DNS records published by the domain owner. DNSSEC makes it much harder for hackers to perform man-in-the-middle attacks.
Enabling DNSEC
The steps required to enable DNSSEC depend upon a domain names Registrar and the nameservers or DNS service provider it is using. Begin by determining who your domain names Registrar is, the nameservers or DNS provider and DNSSEC status. To find this information perform a WHOIS lookup here:
https://www.alpineweb.com/domain-names/whois/
Look for the following fields (output from WHOIS servers may vary - these are intended as examples):
Registrar: eNom, LLC - 1 API GmbH
Name Server: lara.ns.cloudflare.com, will.ns.cloudflare.com
DNSSEC: unsigned or signedDelegation
Instructions for Enabling DNSSEC
AlpineWeb Customers can enable DNSSEC for their domains by following the instructions below:
- My Domain Name is registered with AlpineWeb:
- My Domain Name is not registered with AlpineWeb and is using Cloudflare
- My Domain Name is not registered with AlpineWeb and is not using Cloudflare
If you are an AlpineWeb Customer and would like assistance in enabling DNSSEC for your domain to increase your domains security, submit a Help Ticket here:
https://www.alpineweb.com/backroom/submitticket.php?step=2&deptid=3
My Domains Registrar is Hexonet / 1 API GmbH and is using Cloudflare
There are two steps to enabling DNSSEC.
Begin by logging in to the AlpineWeb Customer Backroom:
https://www.alpineweb.com/backroom/clientarea.php
Your login details are as follows:
Login: The email address used during the initial account creation.
Password: Specified during the ordering process
After logging in to the AlpineWeb Customer Backroom take the following steps:
- Cloudflare - The first step is to enable and create DNSSEC records in Cloudflare.
- Navigate to:
Services > My Services > Cloudflare Account: Manage > Manage Cloudflare - Next, click on the DNS tab
- Click on Enable DNSSEC
Note: If you encounter the following message you may need to refresh the page:The DS added to your registrar is incorrect! Please check the DS record below and make sure you've added the same record to your registrar. - DNSSEC will be pending until the DS record has been added to your domains registrar. This usually takes ten minutes, but can take up to an hour.
- Navigate to:
- My Domains Registrar is Hexonet / 1 API GmbH
- After enabling DNSSEC in Cloudflare, a DNS record called a DS needs to be added at the registrar level. The DS helps DNS resolvers verify the public key used to sign your DNS records.
- In a new browser tab, navigate to:
Domains > My Domains > Domain Name: Manage > DNSSEC Management - Copy the individual DNSSEC records from the Cloudflare DNSSEC page into the domain names DNSSEC Management form:
Example Records:
DS Records
Keytag: 2371
Algorithin: 13
Digest Type: 2
Digest: Value from Cloudflare DNSEC page
KEY Records
Flags: 257
Protocol: 3
Algorithim: 13
Public Key: Value from Cloudflare DNSEC page
- After enabling DNSSEC in Cloudflare, a DNS record called a DS needs to be added at the registrar level. The DS helps DNS resolvers verify the public key used to sign your DNS records.
My Domains Registrar is Enom and is using Cloudflare
There are two steps to enabling DNSSEC.
Begin by logging in to the AlpineWeb Customer Backroom:
https://www.alpineweb.com/backroom/clientarea.php
Your login details are as follows:
Login: The email address used during the initial account creation.
Password: Specified during the ordering process
After logging in to the AlpineWeb Customer Backroom take the following steps:
- Cloudflare - The first step is to create DNSSEC records in Cloudflare.
- Navigate to:
Services > My Services > Cloudflare Account: Manage > Manage Cloudflare - Next, click on the DNS tab
- Click on Enable DNSSEC
Note: If you encounter the following message you may need to refresh the page:The DS added to your registrar is incorrect! Please check the DS record below and make sure you've added the same record to your registrar. - DNSSEC will be pending until the DS record has been added to the domains registrar.
- Navigate to:
- My Domains Registrar is Enom
- After enabling DNSSEC in Cloudflare, a DNS record called a DS needs to be added at the registrar level. The DS helps DNS resolvers verify the public key used to sign your DNS records.
- A DS record wil need to be constructed and submitted to Enom using the following format:
domain-name.com. 3600 IN DS 2371 13 2 30cd4ef1210ff5b4af5bef6384d08e31e9d158211026b323d6fb6750b82ddb4d
<domain-name.com.> <TTL> IN DS <Key Tag> <Algorithim> <Digest Type> <Digest>
Construct the DS record from the Cloudflare DNSSEC page values:
Example Records:
DS Records
Keytag: 2371
Algorithin: 13
Digest Type: 2
Digest: Value from Cloudflare DNSEC page
KEY Records
Flags: 257
Protocol: 3
Algorithim: 13
Public Key: Value from Cloudflare DNSEC page - After creating the DS record to be submitted to Enom, submit a Support Ticket to our Domain Name Service Department using the following example:
Please add a DS record to Enom for my domain, my-domain-name.com My DS record is: my-domain-name.com. 3600 IN DS 2371 13 2 30cd4ef1210ff5b4af5bef6384d08e31e9d158211026b323d6fb6750b82ddb4d
https://www.alpineweb.com/backroom/submitticket.php?step=2&deptid=3 - Enom's process may take 24-48 hours.
- After enabling DNSSEC in Cloudflare, a DNS record called a DS needs to be added at the registrar level. The DS helps DNS resolvers verify the public key used to sign your DNS records.
My Domains Name is not registered with AlpineWeb and is using Cloudflare
We recommend that you contact your Domain Registrar before beginning this process as some Registrars do not support DNSSEC.
There are two steps to enabling DNSSEC.
Begin by logging in to the AlpineWeb Customer Backroom:
https://www.alpineweb.com/backroom/clientarea.php
Your login details are as follows:
Login: The email address used during the initial account creation.
Password: Specified during the ordering process
After logging in to the AlpineWeb Customer Backroom take the following steps:
- Cloudflare - The first step is to create DNSSEC records in Cloudflare.
- Navigate to:
Services > My Services > Cloudflare Account: Manage > Manage Cloudflare - Next, click on the DNS tab
- Click on Enable DNSSEC
Note: If you encounter the following message you may need to refresh the page:The DS added to your registrar is incorrect! Please check the DS record below and make sure you've added the same record to your registrar. - DNSSEC will be pending until the DS record has been added to your domains registrar.
- Navigate to:
- My Domains Registrar
- After enabling DNSSEC in Cloudflare, a DNS record called a DS needs to be added at the registrar. The DS helps DNS resolvers verify the public key used to sign your DNS records.
- Contact your domains Registrar for instructions and guidance to enable DNSSEC for your domain name registration.
- Your Registrar's process may take 24-48 hours.
- After enabling DNSSEC in Cloudflare, a DNS record called a DS needs to be added at the registrar. The DS helps DNS resolvers verify the public key used to sign your DNS records.
My Domain Name is not registered with AlpineWeb and is not using Cloudflare
If your domain name is not with an AlpineWeb Registrar you will need to contact your domains Registrar and DNS provider for instructions and guidance to enable DNSSEC for your domain name registration.
