Domain Name System Security Extensions (DNSSEC) is normal DNS with added signatures to authenticate the origin of the data. It's a suite of specifications for securing DNS information.
DreamHost supports DNSSEC as a registrar. This means that if your domain is registered at DreamHost, DNSSEC is available for the domain registration. However, at this time, DreamHost's nameservers are not compatible with DNSSEC. For this reason, you must host your nameservers at a third party host that supports DNSSEC.
Once your domain's nameservers are hosted at a third party company that supports DNSSEC, DreamHost can complete the DNSSEC configuration as the registrar of the domain.
How do I set up DNSSEC on my domain?
DreamHost does not support DNSSEC for .eu domains.
You must first host your nameservers at a third-party host that supports DNSSEC. It's not possible to enable this if your nameservers are pointed to DreamHost.
Tell your third-party DNS host that you need to set up public keys to configure DNSSEC on your domain. They should provide you with 4 pieces of information:
- key tag
- digest type
These are explained below.
|key tag||An integer in the range 0 to 65535.||62910|
|algorithm||An integer that references a cryptographic algorithm used to generate the signature. Possible values are 1, 2, 3, 5, 6, 7, 8, 10, 12, 13, 14.||7|
|digest type||An integer that corresponding to the algorithm type used to construct the digest. Values are 1 or 2.||1|
|digest||A hexadecimal alpha-numeric value. Make sure to remove any white space.||1D6AC75083F3CEC31861993E325E0EEC7E97D1DD|
When you have this information, create a ticket in your DreamHost panel and provide technical support with this data. Technical support is then able to complete the configuration for you.
Why is DNSSEC necessary?
When the infrastructure for DNS was originally designed, it did not include any security protection. If you searched for a website, the DNS server did not check for credentials before accepting an answer and sending you the data back to view the website. Because credentials were not checked, a malicious user could hijack/forge the DNS and control it for their own nefarious means. DNSSEC helps to prevent this by adding security to DNS.
Simply put, DNSSEC digitally signs the data so you can be sure it is valid and originates from its original source.
What does DNSSEC provide to DNS clients (resolvers)?
A DNS resolver is responsible for translating a domain name into an IP address. DNSSEC provides DNS clients (resolvers) with tools such as:
- Origin authentication of DNS data
- Authenticated denial of existence
- Data integrity
DNSSEC can specifically protect any DNS data published such as:
- text records (TXT)
- mail exchange records (MX)
What DNSSEC CANNOT do
Confidentiality — DNSSEC does not provide confidentiality of data. All DNSSEC responses are authenticated, but they are not encrypted.
DDoS protection — DNSSEC does not directly protect against DDoS attacks.
Encryption — DNSSEC does not encrypt any data.
Spoofing — DNSSEC does not prevent spoofing or phishing.
DNS issues after transferring a domain to DreamHost
If you notice intermittent problems with DNS after your domain transfer completes, your domain may have used DNSSEC prior to transfer. DNSSEC records are also unique as they transfer along with a domain registration, so DNSSEC records are not removed when a domain is transferred from one registrar to another.
If you wish to use DreamHost’s nameservers with your newly transferred domain, please contact DreamHost support to have the attached DNSSEC records removed. If you instead prefer to keep utilizing DNSSEC, you will need to point the domain’s nameservers to a DNS provider that supports it.