How to install DNSSEC
DNSSEC is a way to digitally "sign" your DNS data, preventing man-in-the-middle DNS attacks. If you have been provided with a DNSSEC record from your DNS provider, you can use the following steps to install it.
Porkbun's authoritative DNS does not support DNSSEC, however, we can install the registry-level record for you as provided by your third-party DNS provider, such as Cloudflare. You can find more information on Cloudflare DNSSEC here.
- Log in. You should arrive at the Domain Management screen. If you're already logged in, click on ACCOUNT in the top-right corner and select Domain Management.
- Locate your domain and click the drop-down list to the right. On the menu that appears, click the "Manage" option next to "DNSSEC".
- On the "Domain Name System Security" screen you can enter the required information, then select the green "Create" button at the bottom left of the page.
Please note that not all registries support keyData. If you get an error while creating a DNSSEC record, try creating it without keyData information. If that doesn't work, try creating it with exclusively the keyData information.
That's it! The DNSSEC record is created. Resolvers such as Google's 126.96.36.199 service will now check every DNS lookup to make sure your authoritative DNS server (see: How to assign nameservers) is returning records signed by the DNSSEC record you just installed, ensuring a man-in-the-middle attack is not occurring. Your domain should now pass DNSSEC validation using a service such as https://dnssec-analyzer.verisignlabs.com/
The following is a brief explanation of what each entry means.
- Key Tag
- Used to identify the DNSSEC for the domain
- Identifies the algorithm used to create the signature
- Digest Type
- Identifies the algorithm used to create the digest
- Digest integer value
Not all registries support keyData. If you get an error while creating a DNSSEC record, try creating it without keyData information.
- Max Sig Life
- Indicates the amount of time in seconds the signature is valid
- Indicates the key type (Zone-signing or Key-signing)
- Identifies the protocol for the key match-up
- Key Data Algorithm
- Identifies the algorithm for generating key data
- Public Key
- Key the registry uses to encrypt the DS records