FAQs – DNSSEC
- Can I use DNSSEC?
- Do I need DNSSEC?
- How do I use DNSSEC?
- What is DNSSEC?
- What is a DS Record?
- What is the Chain of Trust?
- What are keyrollovers?
- Who supports DNSSEC?
- Will implementing DNSSEC affect my website's performance?
You can use GKG.NET's DNSSEC support if:
- The domain is registered with or is transfered to GKG
- The domain's registry supports DNSSEC
- You use custom, non-GKG DNS Hosting software and nameservers with control over zone signatures
Your DNS software will generate your Zone Signing Key (ZSK) and Key Signing Key (KSK). Using either our graphic interface or RESTful API, you can submit your DS records to the domain's parent zone, indicating which keys are valid for your zone.Back to top Do I need DNSSEC?
If your website processes or stores personal, financial, or private information, we recommend that you take advantage of DNSSEC to protect yourself and your customers.Back to top How do I use DNSSEC?
You will first need to generate two sets of keys composed of randomized alpha-numeric characters. Both of these keys will have a public and private component. The public components will be published in a DNSKEY record. Your DNS software should do all of this for you.
Once those keys are published in your zone file, you will need to submit your DS records to the parent zone (.com, .net, .org, etc.). We offer two ways for you to do this:
- A graphic interface at https://www.gkg.net/protected/domain/modify where you can simply copy and paste your keys to submit them directly.
- A RESTful API that allows you to manage your DS records programatically.
Using either of these formats, GKG will submit your DS records to the parent zone, which will then begin authenticating your domain by matching the keys you have submitted with those published in your zone file. Back to top What is DNSSEC?
DNSSEC stands for DNS Security Extensions. These 'extensions' add keys and signatures to the current DNS (Domain Name System) protocol.
Basically, when your browser searches the Internet to find a website, DNSSEC enables a website to be verified by a series of signatures. Your domain name will have a unique security key, part of which is stored in the domain registry's servers. When someone searches for your website, those servers authenticate your domain by matching your security keys to ensure the visitor is not redirected to a false website.Back to top What is a DS Record?
Delegation Signer (DS) Records tells your domain's parent zone which DNSKEY records are valid to generate RRSIG's. DS Records contain the:
- KSK keytag
- KSK Algorithm Number
- Digest Type of the DS record
- and the computed Digest
These should all be generated by your DNS software and simply copied and pasted into the necessary fields for each DS Record submission.Back to top What is the Chain of Trust?
The Chain of Trust is the cooperation and participation of all the internet servers involved in directing a URL request to the correct web address. To guide you to the domain name you typed or clicked in your browser, the internet's root servers, domain registry's servers, and the domain's authoritative nameservers all play a role in DNSSEC. It is the relationship between these servers, each authenticating the other, that forms the Chain of Trust.Back to top What are keyrollovers?
Keyrollovers are are simply new keys that are submitted within strategic intervals to maximize your domain's security. This is very similar to changing an accounts password every once in a while to keep it from being hacked.
It is recommended that the ZSK be rolled over every 30-90 days. The KSK is recommended to be rolled over every year.Back to top Who supports DNSSEC?
Adoption of DNSSEC support is a slow process but the domains we offer that currently support DNSSEC are: .com, .net, .us, .biz, .org, .cc and .tv. Slowly but surely more domain registry's as well as domain registrars will offer DNSSEC support.Back to top Will implementing DNSSEC affect my website's performance?
Only if you make a mistake. In order to properly implement DNSSEC, the key information stored in the domain's nameservers MUST match the key information submitted in your DS records to the parent zone. Otherwise your website will not verify and will be considered fraudulent.
You also need to be careful when doing keyrollovers. Proper keyrollover procedure is:
- Publish new DS record (Don't delete the old one yet)
- Generate new RRSIGs using new DS record
- Wait for TTL to expire
- Remove previous DS Record
This ensures that the DNS has time to recognize the new DS record before getting rid of the old one.Back to top