one.com supports DNSSEC, Domain Name System Security Extensions. It is, by default, enabled and activated when using one.com's name servers. In this article, we explain more about DNSSEC.
In order to understand DNSSEC, it is helpful to have an understanding of the basics of DNS (Domain Name System). For a refresher, you can check our guide: What is DNS?
- What is DNSSEC?
- What does DNSSEC protect?
- How to manage DNSSEC
- How to verify DNSSEC is working
- Not using our name servers > DS records
What is DNSSEC?
DNS by itself isn't secure. To add security, DNSSEC was created. It is a set of extensions adding an additional layer of security to the DNS zone by digitally signing it. If a domain name uses DNSSEC, the DNS records are provided with cryptographic signatures (security keys).
These signatures are validated by the DNS resolvers, ensuring that the DNS information comes from the correct DNS server. This way, the record can't be altered or forged and has not been tampered with during transit. This provides a secure way to access your website and online services.
What does DNSSEC protect?
DNS is vulnerable to a range of DNS-based attacks, such as DNS spoofing, - hijacking and - cache poisoning. These attacks can have serious consequences, including redirecting users to malicious or fraudulent websites, stealing sensitive information, or disrupting the normal operation of the internet.
DNSSEC-signed domains guarantee the authenticity and integrity of the DNS data exchanged between signed zones. Enhancing the trustworthiness and improving the overall security of the DNS infrastructure in an individual zone.
The DNS data is not encrypted nor provides data privacy protection. TLS/SSL does encrypt data exchanged between clients and servers to secure various internet protocols, including web browsing (HTTPS) and email (SMTP, IMAP). On the other hand, an SSL certificate doesn't offer protection against spoofing, while DNSSEC does. Read more about SSL in our articles in this section.
Tip: If you want to learn more about what DNSSEC is and why it's important, check this article from ICANN
How to manage DNSSEC
DNSSEC is enabled and activated by default when using one.com's name servers. In case you want to deactivate, follow these steps:
- Log into the one.com Control Panel.
- On the Advanced settings tile, select DNS settings.
- Click the tab Name servers.
- In your Name server administration, click the tab DNSSEC.
- Click the Deactivate button.
How to verify DNSSEC is working
You can use a web-based validation tool to verify if the DNSSEC configuration is working for your domain. We have listed two below. They check if your domain's DNS records have been signed correctly and can be verified by DNS resolvers; they also provide a report on any issues or errors.
- DNSViz.net - Provides a visual representation. You should only see “Secure” in the left column.
- DNSSEC-Analyzer.VeriSignLabs.com - Provides detailed information. You should only see green checks.
Have you activated DNSSEC through the one.com Control Panel? Then the verification may take up to 24 hours. A green bar with the success message is visible when it is successfully activated, as shown in the screenshot below. When revisiting the page, this notification will no longer be displayed.
Not using our name servers?
DNSSEC is automatically disabled if you change to external name servers. The notification in the screenshot below will then be shown in the one.com Control Panel under "DNS settings" > "Name servers" > "DNSSEC". When DNSSEC is enabled via your external DNS provider and activated there, you need to add DS records manually with us.
Adding DS records
Delegation Signer (DS) records are an essential component of DNSSEC. They allow you to delegate trust from a parent zone to a child zone, known as a 'chain of trust'. The DS record is used to verify the authenticity of child zones. DS records are automatically configured when the domain is using one.com’s name servers.
When one.com's name servers are not used, you add DS records manually via the one.com Control Panel. You can get the 4 values that are needed, KeyTag, Algorithm, Digest type and Digest, from your name server provider or via a generator tool. Then follow these steps to create the DS record:
- Log into the one.com Control Panel.
- On the Advanced settings tile, select DNS settings.
- Click the tab Name servers.
- In your Name server administration, click the tab DS Records.
- Enter the value in the 4 separate fields for KeyTag, Algorithm, Digest type and Digest
- Click Save.
- It will now start loading your existing DNS records. It will show a green bar with a success message if successfully added.
Note: Adding incorrect DNS records may cause website downtime. You are welcome to contact our support for assistance if you’re concerned about anything on the DNS settings.
Related articles: