Enabling DNSSEC
This guide provides step-by-step instructions for enabling DNSSEC (Domain Name System Security Extensions) on your domains in the UK DNS Privacy Project authoritative DNS service.
Prerequisites
Before enabling DNSSEC, ensure:
- Your domain is fully delegated to our nameservers:
ns1.dnsprivacy.org.ukns2.dnsprivacy.org.uk
- Your domain registrar supports DNSSEC DS record configuration
- You have access to update your domain’s settings at your registrar
Step 1: Enable DNSSEC in Your Domain Settings
- Log in to your UK DNS Privacy Project dashboard
- Navigate to Dashboard > Authoritative Domains
- Click on the domain name for which you want to enable DNSSEC
- Click the Edit button in the top-right corner
- Find the DNSSEC Enabled checkbox in the security settings section
- Check the box to enable DNSSEC
- Click Save Changes to apply the setting
After saving, our system will automatically:
- Generate the necessary cryptographic keys (KSK and ZSK)
- Sign all DNS records in your domain
- Make the signed records available via our nameservers
Step 2: Obtain DS Records
Once DNSSEC is enabled, you need to obtain the DS (Delegation Signer) records to provide to your domain registrar:
- Return to your domain’s details page
- Click on the DNSSEC tab or section
- You’ll see the generated DS records, typically in this format:
You’ll need to copy these values to provide to your registrar. DS records typically include:
- Key Tag (a numerical identifier)
- Algorithm (a number representing the cryptographic algorithm)
- Digest Type (a number representing the hash function)
- Digest (the hexadecimal hash value)
Example DS record:
12345 13 2 1A2B3C4D5E6F7G8H9I0J1K2L3M4N5O6P7Q8R9S0T1U2V3W4X5Y6Z7
Step 3: Add DS Records at Your Registrar
To complete the DNSSEC setup, you must add the DS records at your domain registrar:
- Log in to your domain registrar’s account
- Navigate to the domain’s management page
- Look for DNSSEC, DS Records, or Security settings
- Enter the DS record(s) from Step 2
The exact process varies by registrar.
Step 4: Verify DNSSEC Configuration
After adding the DS records at your registrar, you should verify that DNSSEC is working properly:
- Allow time for the DS records to propagate (typically 24-48 hours)
- Use online DNSSEC validation tools such as:
- Enter your domain name and check for a successful DNSSEC validation
DNSSEC Status Indicators
In your domain list and domain details page, you’ll see DNSSEC status indicators:
- DNSSEC Disabled: Red badge indicating DNSSEC is not enabled
- DNSSEC Enabled (No DS): Yellow badge indicating DNSSEC is enabled but DS records are not configured at registrar
- DNSSEC Enabled: Green badge indicating DNSSEC is fully configured and operational
Disabling DNSSEC
If you need to disable DNSSEC:
- First, remove the DS records from your domain registrar
- Wait 24-48 hours for these changes to propagate
- Then disable DNSSEC in your domain settings in the UK DNS Privacy Project dashboard
Important: Disabling DNSSEC in your dashboard before removing DS records from your registrar can cause DNS resolution failures for your domain.
Troubleshooting
Common Issues
DNSSEC Validation Failures
If DNSSEC validation fails:
- Verify the DS records at your registrar match those in your dashboard
- Check if your registrar has properly published the DS records
- Allow sufficient time for propagation (24-48 hours)
DNS Resolution Problems
If you experience website or email connectivity issues:
- Verify the DS records are correctly configured
- Check for DNSSEC validation errors using online tools
- Temporarily disable DNSSEC if needed (remove DS records first, then disable in dashboard)
DS Record Mismatch
If the DS records don’t match:
- Update the DS records at your registrar to match those in the dashboard
- If the issue persists, contact our support team