Domains - DNSSEC

In this article you will learn:

DNSSEC

DNSSEC is a method of securing a domain against DNS spoofing attempts. It uses security keys to ensure that the information obtained from DNS is complete, provided by the correct source, and not tampered with by any third party during transmission.

You can set up DNSSEC for all domains that support this method:

  • all CZ and EU domains that we register;
  • all SK domains and gTLDs (including nTLDs) that we register but do not use our DNS servers.

PL domains do not currently support DNSSEC.

Setting up DNSSEC on a domain

DNSSEC security typically takes up to 6 hours to set up.

You set up DNSSEC under the following conditions:

  • CZ and EU domains must be registered with us and may or may not use our DNS servers.
  • SK domains and generic domains (COM, NET, WEBSITE, ...) must be registered with us, but they must not use our DNS.

Follow these steps to access the DNSSEC settings:

  1. Log in to the customer administration ⧉.
  2. Select Domains from the top menu.
  3. In the overview, select the domain for which you want to set up DNSSEC.
  4. Select DNSSEC Settings from the left menu.
Set up DNSSEC on a domain
Entering the DNSSEC Settings Interface
Entering the DNSSEC Settings Interface

Next, follow the instructions for your domain extension:

Activating DNSSEC for CZ and EU domains

For domains with CZ and EU endings, DNSSEC is set automatically by default. If you want to disable the automatic setting, uncheck the Enable future automatic DNSSEC WEDOS setup/disable option in the Customer Options section .

For CZ and EU domains we offer a complete DNSSEC solution. Both the domain and the DNS servers (NSSET) must be managed by WEDOS in this case.

Re-register a domain
Manage DNS servers (NSSET)

In the DNSSEC settings interface, select the Use DNSSEC WEDOS option, and then click Set up DNSSEC.

For these domains, you can also set future WEDOS DNSSEC auto-setup/disable in the same frame in case the system experiences problems with DNSSEC.

If you are not using WEDOS DNS servers (NSSET), you can use an existing custom KEYSET, or create and use a custom KEYSET. Signing DNS records on DNS servers is handled by the DNS service provider or the domain administrator (customer).

Activating DNSSEC for SK and generic domains

For SK, gTLD and nTLD domains we offer the option to activate DNSSEC, but you must have DNS servers set up with another provider. Also get Digest or Public key keys from this provider (if they support DNSSEC). Signing DNS records on DNS servers is handled by the DNS service provider or the domain administrator (customer).

Re-register a domain
Manage DNS servers (NSSET)

In the DNSSEC configuration interface, follow these steps: 

  1. Check the option to use custom DNSSEC keys.
  2. In the Custom DNSSEC Keys table, select a key type and enter the appropriate values.
  3. Save the settings by clicking Set DNSSEC.
Sample use of a custom public key when setting up DNSSEC
Sample use of a custom public key when setting up DNSSEC

Deactivating DNSSEC

In the DNSSEC settings interface, select the Do not use DNSSEC check box, and then click Set up DNSSEC.

Bulk DNSSEC settings

Currently, only CZ and EU domains that are registered with us support DNSSEC bulk settings. We recommend using our DNS servers.

Re-register a domain
Manage DNS servers (NSSET)

Perform the following steps to set up DNSSEC in bulk:

  1. Log in to the customer administration ⧉.
  2. Select Domains from the top menu.
  3. In the overview, check the CZ and EU domains for which you want to set DNSSEC in bulk.
  4. At the bottom of the table, select the DNSSEC settings.
  5. Click the Execute button.
Bulk DNSSEC settings
Bulk DNSSEC settings

In the following wizard, enter the desired settings and confirm with the Finish button.

Common problems

Common problems with DNSSEC include:

SK or gTLD with WEDOS DNS

Problem: The error message ERROR: DNSSEC for this domain is enabled only when using foreign DNS servers. None of our DNS servers can be used for this domain.

Error message SK or gTLD and DNS with us
Error message SK or gTLD and DNS with us

Cause: you can set DNSSEC on SK and generic domains (COM, NET, ONLINE, ...) only if you do not use our DNS servers.

Solution: Change DNS servers to another provider that supports DNSSEC.

Frequently Asked Questions

Can I use my own KEYSET for CZ and EU domains?

Yes, but you must not use our DNS servers.

Why do I have to use foreign DNS servers for generic domains?

For gTLD domains, we cannot automate the DNSSEC setup process sufficiently for technical reasons. The registries of CZ and EU domains support KEYSET objects, thanks to which we can perform DNSSEC key rotation in the parent zone in bulk for all affected domains with a single command. For other registries, we would have to rotate keys individually for each domain, and in some cases this may not even be possible due to possible domain restrictions by the registry. Failure to perform a key rotation could then cause the domain to become unavailable due to a broken DNSSEC key chain.

How to disable DNSSEC?

In the DNSSEC settings interface, select the Do not use DNSSEC option and confirm. Like all DNSSEC settings, this will take a few hours to take effect.

How is DNSSEC revoked?

The system sends the command to remove DNSSEC keys from the parent zone to the registry immediately. If the domain uses our DNS servers, you wait for the TTL of the DNSSEC keys in the parent zone to expire after sending the command. When the TTL expires, the system removes the zone signature on our DNS servers to complete the DNSSEC revocation request for the domain. You cannot change the DNSSEC settings on the domain in any way while the DNSSEC cancellation request is pending.

Did the instructions help you?

Thank you for your feedback!
Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
Article content
Categories