DNSSEC Glossary
| DNSSEC Term | Useful Information |
|---|---|
| Zone Signing Key (ZSK) | Used to sign other records. It is generally recommended that this key rollover once every month. On Dyn’s Managed DNS, this is done automatically with a new key generated one week prior to its expiration. No action is required by you to maintain this record. |
| Key Signing Key (KSK) | Used to sign other DNSKEY records. This key is recommended to rollover once every year. Dyn’s Managed DNS will automatically generate this key one week prior to its expiration. No action is required by you to maintain this record. |
| Note: At a minimum, the ZSK and KSK must be generated with the RSA-SHA1 algorithm per RFC 4034. If you want additional (stronger) algorithms to be used, you can create them. All other algorithm records are optional. The ZSK & KSK records are required and they must be generated with RSA-SHA1 on the zone. | |
| Delegation Signer Record (DS) | Generated from the KSK, the DS must be published by the registry. This is the record that is given to the registrar, who handles publishing it to the registry. Once a year when the KSK is rolled over, a new DS record is created that must be uploaded manually to the registrar. This requires customer action. |
Annual Required Maintenance
Once a year, a new DS key is generated. The registry needs to be given the new DS key in order for the rollover to occur. Here is the information and the steps you need to follow in order to perform this annual maintenance. Click here for more information on Registering DNSSEC For Your Domain.
See Update DNSSEC for additional information about key generation.
1. One week prior to expiration, a new KSK and DS key are generated.
Note: You may receive an email notification prior to the key generation date or expiration date.
2. Upload the new DS record to your registrar and remove the old DS record.
3. You can test to see if the registry has the new DS record by doing a dig ds +trace.
4. The new DS key should be in the information you receive.
5. The DS key in the dig +trace should match what Dyn’s Managed DNS shows for your domain.
Algorithms and Digest Types
Algorithms
| Algorithm # | Name | Status |
|---|---|---|
| 3 | DSA/SHA1 | Optional |
| 5 | RSA/SHA-1 | Mandatory |
| 6 | DSA-NSEC3-SHA1 | Not Available for Dyn’s DNSSEC Service |
| 7 | RSASHA1-NSEC3-SHA1 | Not Available for Dyn’s DNSSEC Service |
| 8 | RSA/SHA-256 | Optional |
| 10 | RSA/SHA-512 | Optional |
Digest Types
| # | Digest Type | Status |
|---|---|---|
| 1 | SHA-1 | Mandatory |
| 2 | SHA-256 | Supported (Optional) |