How to Install DNSSEC

DNSSEC is a way to digitally "sign" your DNS data, preventing man-in-the-middle DNS attacks. If you have been provided with a DNSSEC record from your DNS provider, you can use the following steps to install it.

⚠️️  Warning

This guide walks through how to enable DNSSEC on a domain not using Porkbun's nameservers. If you are using Porkbun's nameservers, please refer to the following guide instead: How to enable Porkbun's Cloudflare DNSSEC

1
Log in. You should arrive at the Domain Management screen. If you're already logged in, click on ACCOUNT in the top-right corner and select Domain Management.
2
Locate your domain and click the drop-down list to the right. On the menu that appears, click the "Manage" option next to "DNSSEC".

3
On the "Create DNS Record" screen you can enter the required information, then select the green "Create" button at the bottom left of the page.

Please note that most registries only support dsData. Some ccTLD registries, such as .eu, .de, and .nl only support keyData. If you get an error while creating a DNSSEC record, try creating it exclusively with the dsData information. If that doesn't work, try creating it exclusively with the keyData information. 

That's it! The DNSSEC record is created. Resolvers such as Google's 8.8.8.8 service will now check every DNS lookup to make sure your authoritative DNS server (see: How to assign nameservers) is returning records signed by the DNSSEC record you just installed, ensuring a man-in-the-middle attack is not occurring. Your domain should now pass DNSSEC validation using a service such as  https://dnssec-analyzer.verisignlabs.com/

The following is a brief explanation of what each entry means.

Key Tag
Used to identify the DNSSEC for the domain

Algorithm
Identifies the algorithm used to create the signature

Digest Type
Identifies the algorithm used to create the digest   

Digest
Digest integer value  

Key Data

Not all registries support keyData. If you get an error while creating a DNSSEC record, try creating it without keyData information. 

Max Sig Life
Indicates the amount of time in seconds the signature is valid

Flags
Indicates the key type (Zone-signing or Key-signing)

Protocol
Identifies the protocol for the key match-up

Key Data Algorithm
Identifies the algorithm for generating key data

Public Key
Key the registry uses to encrypt the DS records
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.