Managing DNSSEC

Domain Name System Security Extensions (DNSSEC) is a technology that digitally signs a domain's DNS to protect against forged DNS data. The goal is to provide assurance that the DNS records provided to the user are the same as the DNS records published on the DNS server. The default Enom nameservers do not support DNSSEC, so you will need to use third-party nameservers if you would like to enable it.

Components of a DNSSEC record

There are six components to a Delegation Signer (DS) key.

  1. Domain Name.
  2. Time to live (TTL)
  3. Key Tag: A numerical value used to identify the DNSSEC record.
  4. Algorithm: The algorithm used to generate the signature.
    • 3 for DSA/SHA1
    • 5 for RSA/SHA1
    • 6 for DSA-NSEC3-SHA1
    • 7 for RSASHA1-NSEC3-SHA1
    • 8 for RSA/SHA-256
    • 9 for RSA/SHA-512
    • 13 for  ECDSA/SHA-256#
    • 15 for ED25519 
    • 16 for ED448
  5. Digest Type: The algorithm type that was used to construct the digest.
    • 1 for SHA-1
    • 2 for SHA-256
  6. Digest: A string value generated by the algorithm.

The TTL is not used on the Enom side, but the other components are required to add DNSSEC to a domain at Enom.

Back to top


If your DNS provider has enabled DNSSEC support, they will provide you with a corresponding Delegation Signer (DS) record that must be added to the appropriate registry's DNS zone.

There is no method for adding a DNSSEC record to an Enom domain from the user interface. If you have access to the Enom API from a reseller account, you can use the AddDNSSec API call to add the DNSSEC record to the domain. 

If you do not have access to our reseller API,  you must submit a verified support request. Include the DS record to add DNSSEC to the domain. Use this format in the body of the request to ensure all of the necessary information is present:

Digest Type: 

Support will add the record to the domain using this information. 

Back to top

Removing DNSSEC

If you need to remove DNSSEC, there are two options.

  • If you have a reseller account, use the DeleteDNSSec call.
    Note: As mentioned in the API documentation, the call must include the key, algorithm, digest and digest type parameters. Get these using the GetDNSSec call.
  • If you do not have access to the API, submit a verified support request asking to have DNSSEC removed from the domain in question.

Back to top

Verifying DNSSEC

Many registries, Verisign, for example, will show the signed delegation information in a Whois lookup. External, third-party tools are available to view DNSSEC information, such as the Verisign Labs DNSSEC Analyzer or DNS Viz, as well as command-line tools such as dig. A simple dig to check for the DS record and DNSSEC information could be:

dig DS +dnssec

These tools should be used to look up a domain's current DNSSEC information to check if it has been successfully added or to view an updated DNSSEC record after any changes.

Back to top

Was this article helpful? If not please submit a request here

How helpful was this article?