Domain Name System Security Extensions (DNSSEC) is a technology that digitally signs a domain's DNS to protect against forged DNS data. Its goal is to provide assurance that the DNS records delivered to a user match the DNS records published on the DNS server. This article explains the components of a DNSSEC record and how to add, remove, and verify DNSSEC on an Enom domain.
Warning: The default Enom nameservers do not support DNSSEC. To enable it, you must use third-party nameservers.
Components of a DNSSEC record
A Delegation Signer (DS) key has six components.
- Domain Name.
- Time to live (TTL).
- Key Tag: A numerical value used to identify the DNSSEC record.
- Algorithm: The algorithm used to generate the signature.
3 for DSA/SHA1
- 5 for RSA/SHA1
- 6 for DSA-NSEC3-SHA1
- 7 for RSASHA1-NSEC3-SHA1
- 8 for RSA/SHA-256
- 9 for RSA/SHA-512
- 13 for ECDSA/SHA-256
- 15 for ED25519
- 16 for ED448
- Digest Type: The algorithm type used to construct the digest.
1 for SHA-1
- 2 for SHA-256
- Digest: A string value generated by the algorithm.
Note: The TTL is not used on the Enom side, but the other components are required to add DNSSEC to a domain at Enom.
Adding DNSSEC
If your DNS provider has enabled DNSSEC support, they will provide a corresponding Delegation Signer (DS) record that must be added to the appropriate registry's DNS zone.
There is no method for adding a DNSSEC record to an Enom domain from the user interface. If you have access to the Enom API from a reseller account, use the AddDNSSec API call to add the DNSSEC record to the domain.
If you do not have access to the reseller API, submit a verified support request. Include the DS record to add DNSSEC to the domain, using this format in the body of the request to ensure all necessary information is present:
Domain:
Key:
Algorithm:
Digest Type:
Digest:Support will add the record to the domain using this information.
Removing DNSSEC
To remove DNSSEC, you have two options.
- If you have a reseller account, use the DeleteDNSSeccall.note
Note: As stated in the API documentation, the call must include the key, algorithm, digest, and digest type parameters. Get these using the GetDNSSec call.
If you do not have access to the API, submit a verified support request asking to have DNSSEC removed from the domain in question.
Verifying DNSSEC
Many registries, such as Verisign, show the signed delegation information in a Whois lookup. External, third-party tools are available to view DNSSEC information, such as the Verisign Labs DNSSEC Analyzer and DNS Viz, as well as command-line tools such as dig. A simple dig to check for the DS record and DNSSEC information could be:
dig DS +dnssec example.comUse these tools to look up a domain's current DNSSEC information to confirm it has been added successfully or to view an updated DNSSEC record after any changes.
Next steps
Questions? Contact Enom Support.
How helpful was this article?
Thanks for your feedback!
Do you still need help? If so please submit a request here.