Configuring DNSSEC in Storefront for Registrants and Resellers

This article provides instructions for both registrants and resellers.

DNSSEC stands for DNS Security Extensions, and it is designed to protect Internet resolvers (clients) from forged DNS in order to prevent DNS tampering. DNSSEC works by digitally signing the DNS records at the authoritative DNS server. By checking the digital signature, a DNS resolver knows whether the information it receives is identical (correct and complete) to the information on the authoritative DNS server. This attests to the validity of the address, and ensures that the site you visit is the one you intended to go to rather than a site where your personal information could be compromised. If the DNS cannot be authenticated, your browser won't display the site.

Your DNS provider supplies the DNSSEC values that you enter for your domains.

Note: OpenSRS does not do any DNSSEC validation; we simply pass the DNSSEC values on to the registry. If SystemDNS nameservers are being used, DNSSEC is not supported.

You cannot assign DNSSEC values to the domain at the time that you register it, but once the domain is registered, you can modify it and add the DNSSEC values.  There is no charge for this service.

1. Visit your service provider's website and click Manage.

2. Log in with your domain account.

3. Under Edit, by the domain you are working with, click DNS.

4. Under Name Servers, click If you would like to modify DNSSEC information for your domain, click here.

5. In Edit DNSSEC Records, click Add Record.

6. Complete the four fields with information obtained from the DNS provider:

• Key Tag: An integer value that is used to identify the DNSSEC record.
• Algorithm Type: From the drop-down list, choose the algorithm used to generate the signature.
• Digest Type: From the drop-down list, choose the algorithm type that was used to construct the digest.
• Digest: A string value generated by the algorithm.

7. Click Save.

Follow login steps above.

When you reach the Edit DNSSEC Records section, you may edit any desired information, or click Remove next to an existing record.  Then, click Save.

1. Log into Storefront via the Resellers Control Panel or RWI.

2. Go to Domains.

3. Click the domain for which you want to add DNSSEC.

4. Click the user name.

5. Click Click here to log in as this user.

6. Under Edit, by the domain you are working with, click DNS.

7. Under Name Servers, click If you would like to modify DNSSEC information for your domain, click here.

8. In Edit DNSSEC Records, click Add Record.

9. Complete the four fields with information obtained from the DNS provider:

• Key Tag: An integer value that is used to identify the DNSSEC record.
• Algorithm Type: From the drop-down list, choose the algorithm used to generate the signature.
• Digest Type: From the drop-down list, choose the algorithm type that was used to construct the digest.
• Digest: A string value generated by the algorithm.

10. Click Save.

Follow steps 1-7 above.

When you reach the Edit DNSSEC Records section, you may edit any desired information, or click Remove next to an existing record.  Then, click Save.

For domains being transferred in, DS records will be maintained and carried over to OpenSRS.

DNSSEC can be managed by resellers and registrants for a growing list of TLDs.  Please see the gTLD and ccTLD reference chart for specifics.