How to Install DNSSEC
DNSSEC is a way to digitally "sign" your DNS data, preventing man-in-the-middle DNS attacks. If you have been provided with a DNSSEC record from your DNS provider, you can use the following steps to install it.
⚠️️ Warning
This guide walks through how to enable DNSSEC on a domain not using Porkbun's nameservers. If you are using Porkbun's nameservers, please refer to the following guide instead: How to enable Porkbun's Cloudflare DNSSEC
- 1
- Log in. You should arrive at the Domain Management screen. If you're already logged in, click on ACCOUNT in the top-right corner and select Domain Management.
- 2
- Locate your domain and click the drop-down list to the right. On the menu that appears, click the "Manage" option next to "DNSSEC".
-
- 3
- On the "Create DNS Record" screen you can enter the required information, then select the green "Create" button at the bottom left of the page.
Please note that most registries only support dsData. Some ccTLD registries, such as .eu, .de, and .nl only support keyData. If you get an error while creating a DNSSEC record, try creating it exclusively with the dsData information. If that doesn't work, try creating it exclusively with the keyData information.
That's it! The DNSSEC record is created. Resolvers such as Google's 8.8.8.8 service will now check every DNS lookup to make sure your authoritative DNS server (see: How to assign nameservers) is returning records signed by the DNSSEC record you just installed, ensuring a man-in-the-middle attack is not occurring. Your domain should now pass DNSSEC validation using a service such as https://dnssec-analyzer.verisignlabs.com/
The following is a brief explanation of what each entry means.
- Key Tag
- Used to identify the DNSSEC for the domain
-
- Algorithm
- Identifies the algorithm used to create the signature
-
- Digest Type
- Identifies the algorithm used to create the digest
-
- Digest
- Digest integer value
-
Key Data
Not all registries support keyData. If you get an error while creating a DNSSEC record, try creating it without keyData information.
- Max Sig Life
- Indicates the amount of time in seconds the signature is valid
-
- Flags
- Indicates the key type (Zone-signing or Key-signing)
-
- Protocol
- Identifies the protocol for the key match-up
-
- Key Data Algorithm
- Identifies the algorithm for generating key data
-
- Public Key
- Key the registry uses to encrypt the DS records