DNSSEC overview

 

Overview

This article explains what DNSSEC is and how to use it at DreamHost.

FAQs

What is DNSSEC?

Domain Name System Security Extensions (DNSSEC) is a suite of specifications to authenticate and secure DNS information. There are two parts to the configuration:

Configuration Description
The Registrar DreamHost supports DNSSEC as a registrar. This means that if your domain is registered at DreamHost, DNSSEC is available for the domain registration.
The nameservers DreamHost's nameservers are not compatible with DNSSEC.

To use DNSSEC with a domain registered at DreamHost, you must point your nameservers at a third-party host that supports DNSSEC (on their nameservers).

Once your domain's nameservers are hosted at a third-party company that supports DNSSEC, DreamHost can complete the DNSSEC configuration for the registration (as the registrar of the domain).

Why is DNSSEC necessary?

When the DNS infrastructure was originally designed, it did not include any security protection. If you searched for a website, the DNS server did not check for credentials before accepting an answer and sending you the data back to view the website. Because credentials were not checked, a malicious user could hijack/forge the DNS and control it for their own nefarious means. DNSSEC helps to prevent this by adding security to DNS.

DNSSEC digitally signs the data so you can be sure it is valid and originates from its original source.

What does DNSSEC provide to DNS clients (resolvers)?

A DNS client is responsible for translating a domain name into an IP address. DNSSEC provides DNS clients (resolvers) with tools such as:

  • Origin authentication of DNS data
  • Authenticated denial of existence
  • Data integrity

DNSSEC can specifically protect any DNS data published, such as:

  • text records (TXT)
  • mail exchange records (MX)

Are there any features that DNSSEC does not support?

Yes. There are a few features that DNSSEC does not support, including:

Feature Description
Confidentiality DNSSEC does not provide confidentiality of data. All DNSSEC responses are authenticated, but they are not encrypted.
DDoS protection DNSSEC does not directly protect against DDoS attacks.
Encryption DNSSEC does not encrypt any data.
Spoofing DNSSEC does not prevent spoofing or phishing.

Are certain domains not supported?

Yes. DreamHost does not support DNSSEC for .eu domains.

Configuring DNSSEC

  1. Register a domain at DreamHost.
  2. Point the domain's nameservers to a third-party host that supports DNSSEC (on their nameservers).
  3. Inform your third-party DNS host that you need to set up public keys to configure DNSSEC on your domain. They should provide you with 4 pieces of information:
    • key tag
    • algorithm
    • digest type
    • digest

    These are explained below.

    Field Explanation Example
    key tag An integer in the range 0 to 65535. 62910
    algorithm An integer that references a cryptographic algorithm used to generate the signature. Possible values are 1, 2, 3, 5, 6, 7, 8, 10, 12, 13, 14. 7
    digest type An integer that corresponds to the algorithm type used to construct the digest. Values are 1 or 2. 1
    digest A hexadecimal alphanumeric value. Make sure to remove any white space. 1D6AC75083F3CEC31861993E325E0EEC7E97D1DD
  4. Create a ticket in your DreamHost panel and provide this data to technical support.
  5. Technical support will then complete the configuration for you.

Troubleshooting

DNS issues after transferring a domain to DreamHost

If you notice intermittent problems with DNS after your domain transfer completes, your domain may have enabled DNSSEC prior to transfer. This could cause issues because DNSSEC records transfer along with the domain registration. This means they are NOT removed when a domain is transferred from one registrar to another.

  • If you wish to use DreamHost’s nameservers with your newly transferred domain, contact DreamHost support to have the attached DNSSEC records removed.
  • If you instead prefer to keep utilizing DNSSEC, you will need to point the domain's nameservers to a DNS provider that supports it.

See also

DreamHost links

Third-party links

Did this article answer your questions?

Article last updated PST.

Still not finding what you're looking for?