DNSSEC

Watch the video tutorial

DNSSECClosed DNSSEC is designed to protect applications (and caching resolvers serving those applications) from using forged or manipulated DNS data, such as that created by DNS cache poisoning. All answers from DNSSEC protected zones are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (i.e. unmodified and complete) to the information published by the zone owner and served on an authoritative DNS server. is the extension of the DNSClosed The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. A Domain Name Service resolves queries for these names into IP addresses for the purpose of locating computer services and devices worldwide. By providing a worldwide, distributed keyword-based redirection service, the Domain Name System is an essential component of the functionality of the Internet. protocol that allows signing DNS data in order to secure the domain name resolving process. For general information about DNSSEC and its usage, visit ICANN website and https://tools.ietf.org/html/rfc6781.

You can do the following to protect DNS data of your domains with DNSSEC:

Signing a Domain Zone

To start using DNSSEC protection of your DNS zone, sign this zone. PleskClosed Plesk Panel is the preferred choice for hosting service providers, web designers, and website owners. Plesk Obsidian 18 is the latest release from Plesk and offers a range of new benefits and features for every user type. signs the zone with an automatically generated signatures using two pairs of asymmetric keys, the Key Signing Key (KSK) and the Zone Signing Key (ZSK).

To sign a domain zone:

  1. Select the domain in Websites & Domains.
  2. Go to DNSSEC and click Sign the DNS Zone.
  3. If the zone has never been signed before, Plesk prompts you to generate the keys that will be used to create a signature.

    You can use the default values or specify custom values. See Recommended Values below.

    image-77026.png

  4. If you previously signed the DNS zone, you have the choice to use previously generated keys or generate new ones. If you opt for new keys, you can either use the default values or specify custom values. See Recommended Values below.

    Recommended values of KSK and ZSK generation settings:

    • A long key and a long rollover period for the KSK.
    • Every time the Key Signing Key is updated, you need to update the DS records in the parent zone. The recommended values help you to update DS records as seldom as possible without decreasing security.
    • A shorter key and a shorter rollover period for the ZSK.

      The Zone Signing Key is updated automatically. The recommended values help you to save system resources without decreasing security.

      image-77028.png

  5. In the end of the signing procedure, Plesk displays DS records, which contain hashes of the Key Signing Keys used for signing the zone.

    These records must then be uploaded to the domain's respective domain registry, which for domains registered with Webnames.ca, via your Webnames.ca account. See the next section for instructions

    image-77027.png

Updating the DS Records at the Domain Registry

  1. Log into your Webnames.ca account
  2. Using the top menu, click on Account then under Domains, click Manage Domains.
  3. Click on the domain name you wish to configure from the list.
  4. Click on the DNSSEC tab.
  5. Under Delegation Signer (DS) Records, enter the following:
    1. Keytag
      1. Five digits after "DS"
    2. Algorithm 
      1. RSA/SHA-256
    3. Digest Type
      1. SHA-256
    4. Digest (Hash)
      1. Long string to text and numbers at the end of the provided record in Plesk

  1. Click Add new record to add additional DS Records as needed
  2. Click Apply
NOTE: The uploading of DS records to the registry, noted above, must be performed each and every time key rollover occurs in Plesk. Note that the default rollover frequency is monthly. See Step 3 in Signing a Domain Zone

Unsigning a Domain Zone

Unsigning a domain zone turns off DNSSEC protection for that zone. You may need to unsign a zone if the keys were compromised, and then sign the zone again using new keys.

To unsign a domain zone:

  1. Go to Websites & Domains > select a domain > DNSSEC and click Unsign.
  2. Delete the DS resource records from the parent zone. Otherwise, the domain will not resolve.

Note: When you unsign a zone, the keys are not deleted from Plesk. You can sign the zone again using the same keys.

Viewing DNSKEY Resource Records

You might need to retrieve DNSKEY resource records, which contain public parts of Key Signing Keys used by a domain.

To display DNSKEY records:

  1. Go to Websites & Domains > select a domain > DNSSEC.
  2. Click View DNSKEY Records.