We were one of the first registrars to participate in testing and signed our own domain with DNSSEC. Now we officially open access to all our customers for signing DNSSEC. You can start using this signature both in our DNS administrator and by signing your domain using third-party DNS servers.
If the domain is delegated to our DNS servers, then the use of DNSSEC will be automatic. It is enough to click on the “Activate DNSSEC” button, and everything else will be set up automatically.
We have implemented DNSSEC on our free DNS servers. Thus, all RX-NAME clients can now use DNSSEC with their domain names.
What is DNSSEC?
DNSSEC is an extension of DNS that verifies that the response from a DNS server is accurate and ensures that the site you are connecting to is authentic. DNSSEC protects against false IP addresses and is a reliable method of combating phishing.
Which domain zones support DNSSEC?
Currently, DNSSEC can be used to protect domains in the .UA, .ORG, .COM.UA, .COM, .NET, .NAME, and ME zones.
How does DNSSEC work?
DNSSEC can be compared to a digital signature. In DNSSEC, there is also a public key and a private key. The first is checked against the second, which signs the open server.
The key is divided into two parts – public and private. The private part is used to create an electronic signature. Only the key user has access to it, and it is stored in a secure location.
The public part is open for checking signatures with the private part of the key, and it can be published. Although the open part is created as a value from the closed part of the key, it is impossible to calculate the closed part using the open part.
There are two types of keys for DNSSEC:
Key Signing Key (KSK). As the name suggests, it is used to sign ZSK keys. This type of key makes the digital path from your domain zone to the parent more reliable.
Zone Sign Key (ZSK). As with the KSK, the name speaks for itself. It is used to sign resource records in domain zones. Usually, they are signed with one key, but there are cases where several keys are used. For example, if the digital signature uses different algorithms, each algorithm will require its key. It should be emphasized that the DNSSEC key used to sign domain zones is associated with the DNS server of the zone, not with the zone itself.
How to enable DNSSEC for a domain?
In RX-NAME, users can enable DNSSEC for their domains in the control panel under “Domain Management” -> “DNS Administrator”.
If your domain is registered with RX-NAME but delegated to third-party DNS servers, you can click on “Enable DNSSEC Security,” and then you can add DS records, in which you add DNSKEY (DS) records.
Done! You have set up DNSSEC.
How to turn off DNSSEC?
It is enough to click on the “Disable DNSSEC” button, and all records will be deleted automatically.”