DNSSEC
Secure your DNS with one-click DNSSEC activation.
What is DNSSEC?
DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that DNS responses haven't been tampered with.
This protects against:
- DNS Spoofing: Attackers returning fake IP addresses
- Cache Poisoning: Corrupting DNS resolver caches
- Man-in-the-Middle Attacks: Intercepting and modifying DNS traffic
Enabling DNSSEC
TrueDNS makes DNSSEC simple with one-click activation:
- Navigate to your domain in the Dashboard
- Click the "DNSSEC" tab or toggle
- Click "Enable DNSSEC"
- TrueDNS will automatically generate keys and sign your zone
✓ What TrueDNS handles automatically:
- Key generation (KSK and ZSK)
- Zone signing
- Key rotation
- NSEC3 for zone walking protection
Adding DS Records to Your Registrar
After enabling DNSSEC, you need to add the DS record to your domain registrar to complete the chain of trust.
- After enabling DNSSEC, TrueDNS will display your DS record details
- Copy the DS record information:
- Key Tag
- Algorithm
- Digest Type
- Digest
- Log in to your domain registrar
- Find the DNSSEC or DS record settings
- Add the DS record using the values from TrueDNS
Example DS Record
Key Tag: 12345
Algorithm: 13 (ECDSAP256SHA256)
Digest Type: 2 (SHA-256)
Digest: A1B2C3D4E5F6...
Verifying DNSSEC
After adding the DS record, wait for propagation (up to 48 hours) then verify:
Using dig
dig +dnssec example.com
Look for the ad (authenticated data) flag in
the response.
Online verification tools:
- DNSViz - Visual DNSSEC analysis
- Verisign DNSSEC Analyzer
Disabling DNSSEC
To safely disable DNSSEC:
- First: Remove the DS record from your registrar
- Wait for the DS record to propagate (check TTL)
- Then: Disable DNSSEC in TrueDNS
⚠ Warning: Disabling DNSSEC in TrueDNS before removing the DS record from your registrar will cause DNS resolution failures.