Domain Name System Security Extensions (DNSSEC) is normal DNS with added signatures to authenticate the origin of the data. It's a suite of specifications for securing DNS information.
DreamHost supports DNSSEC as a registrar. This mean that if your domain is registered at DreamHost, DNSSEC is available for the domain registration. However, at this time, DreamHost's nameservers are not compatible with DNSSEC. For this reason, you must host your nameservers at a 3rd party host that supports DNSSEC on their nameservers.
Once your domain's nameservers are hosted at a 3rd party company that supports DNSSEC on its nameservers, DreamHost can complete the DNSSEC configuration as the registrar of the domain.
How do I set up DNSSEC on my domain?
You must first host your nameservers at a third-party host that supports DNSSEC. It's not possible to enable this if your nameservers are pointed to DreamHost.
Tell your third-party DNS host that you need to set up public keys to configure DNSSEC on your domain. They should provide you with 4 pieces of information:
- key tag
- digest type
These are explained below.
|key tag||An integer in the range 0 to 65535.||62910|
|algorithm||An integer that references a cryptographic algorithm used to generate the signature. Possible values are 1, 2, 3, 5, 6, 7, 8, 10, 12, 13, 14.||7|
|digest type||An integer that corresponding to the algorithm type used to construct the digest. Values are 1 or 2.||1|
|digest||A hexadecimal alpha-numeric value. Make sure to remove any white space.||1D6AC75083F3CEC31861993E325E0EEC7E97D1DD|
When you have this information, create a ticket in your DreamHost panel and provide technical support with this data. Technical support is then able to complete the configuration for you.
Why is DNSSEC necessary?
When the infrastructure for DNS was originally designed, it did not include any security protection. If you searched for a website, the DNS server did not check for credentials before accepting an answer and sending you the data back to view the website. Because credentials were not checked, a malicious user could hijack/forge the DNS and control it for their own nefarious means. DNSSEC helps to prevent this by adding security to DNS.
Simply put, DNSSEC digitally signs the data so you can be sure it is valid and originates from its original source.
What does DNSSEC provide to DNS clients (resolvers)?
A DNS resolver is responsible for translating a domain name into an IP address. DNSSEC provides DNS clients (resolvers) with tools such as:
- Origin authentication of DNS data
- Authenticated denial of existence
- Data integrity
DNSSEC can specifically protect any DNS data published such as:
- text records (TXT)
- mail exchange records (MX)
What DNSSEC CANNOT do
Confidentiality — DNSSEC does not provide confidentiality of data. All DNSSEC responses are authenticated, but they are not encrypted.
DDoS protection — DNSSEC does not directly protect against DDoS attacks.
Encryption — DNSSEC does not encrypt any data.
Spoofing — DNSSEC does not prevent spoofing or phishing.
DNS issues after transferring a domain to DreamHost
If you notice intermittent DNS issues after transferring a domain to DreamHost, or issues with Google's DNS, it may be due to the domain having used DNSSEC with the previous provider. You should contact the previous hosting provider's support to have those DNSSEC records cleared out manually.
If you do wish to continue using DNSSEC you can keep the domain registered with DreamHost, but you'll need to use a third party to manage the DNS. This is because while the registration is able to support DNSSEC, DreamHost nameservers currently do not.