If you’ve activated DNSSEC with your DNS provider, you must create complementary DS records within your domain registration.

When you are signing a zone on your nameserver to enable DNSSEC, the Delegated Signer (DS) resource record must be propagated to the parent of the zone (in this case, the TLD registry) in order to establish a chain of trust to your zone. The DS record contains a digest of your DNSSEC Key Signing Key (KSK), and acts as a pointer to the next key in the chain of trust.

We recommend you create two DS records per algorithm that you plan to support – one record for the current DS record and another record for the next DS record to use in the future after the current record expires.

Creating a DS Record

1. Log into your Dyn account. Screen Shot 2014-10-21 at 9.27.30 AM
2. Select My Zones/Domains from the My Services column. Screen Shot 2014-10-30 at 10.08.20 AM
3. Click the name of the domain on which you want to set up a DS record. Screen Shot 2014-11-03 at 9.50.28 AM
4. Click Create New DS Record. Screen Shot 2014-11-03 at 9.52.37 AM
5. Enter the following information:

New Key Tag
The keytag is a number used to quickly identify this DS record. It is generated by your DNSSEC zone signing tools. Valid format is a number between 1 and 65535.
DNSKEY Algorithm
Identifies the public key’s cryptographic algorithm and determines the format of the Public Key field. It is generated by your DNSSEC zone signing tools.
Digest Type
Identifies the algorithm used to construct the digest. It is generated by your DNSSEC zone signing tools.
Key Digest
The DS record refers to a DNSKEY resource record by including a digest of that DNSKEY resource record. It is generated by your DNSSEC zone signing tools.
Screen Shot 2014-11-04 at 9.50.04 AM
6. Click Create New DS Record to commit the changes to your registration. Screen Shot 2014-11-04 at 9.51.43 AM

Top ^


Modifying a DS Record

1. Log into your Dyn account. Screen Shot 2014-10-21 at 9.27.30 AM
2. Select My Zones/Domains from the My Services column. Screen Shot 2014-10-30 at 10.08.20 AM
3. Click the name of the domain on which you want to set up a DS Record. Screen Shot 2014-11-03 at 9.50.28 AM
4. Click the Key Tag of the DS Record you would like to modify. Screen Shot 2014-11-04 at 9.56.32 AM
5. Make the appropriate changes in the form:

DNSKEY Algorithm
Identifies the public key’s cryptographic algorithm and determines the format of the Public Key field. It is generated by your DNSSEC zone signing tools.
Digest Type
Identifies the algorithm used to construct the digest. It is generated by your DNSSEC zone signing tools.
Key Digest
The DS record refers to a DNSKEY resource record by including a digest of that DNSKEY resource record. It is generated by your DNSSEC zone signing tools.
Screen Shot 2014-11-04 at 9.56.45 AM
6. Click Save DS Record to commit the changes to your registration Screen Shot 2014-11-04 at 9.59.30 AM

Top ^


Deleting a DS Record

1. Log into your Dyn account. Screen Shot 2014-10-21 at 9.27.30 AM
2. Select My Zones/Domains from the My Services column. Screen Shot 2014-10-30 at 10.08.20 AM
3. Click the name of the domain from which you want to remove the DS record. Screen Shot 2014-11-03 at 9.50.28 AM
4. Click the Key Tag of the DS record you would like to remove. Screen Shot 2014-11-04 at 9.56.32 AM
5. Click Delete DS records with this Key Tag. Screen Shot 2014-11-04 at 9.59.51 AM

Top ^