DNSSEC Glossary


DNSSEC Term Useful Information
Zone Signing Key (ZSK) Used to sign other records. It is generally recommended that this key rollover once every month. On Dyn’s Managed DNS, this is done automatically with a new key generated one week prior to its expiration. No action is required by you to maintain this record.
Key Signing Key (KSK) Used to sign other DNSKEY records. This key is recommended to rollover once every year. Dyn’s Managed DNS will automatically generate this key one week prior to its expiration. No action is required by you to maintain this record.
Note: At a minimum, the ZSK and KSK must be generated with the RSA-SHA1 algorithm per RFC 4034. If you want additional (stronger) algorithms to be used, you can create them. All other algorithm records are optional. The ZSK & KSK records are required and they must be generated with RSA-SHA1 on the zone.
Delegation Signer Record (DS) Generated from the KSK, the DS must be published by the registry. This is the record that is given to the registrar, who handles publishing it to the registry. Once a year when the KSK is rolled over, a new DS record is created that must be uploaded manually to the registrar. This requires customer action.

↑ Table of Contents ↑


Annual Required Maintenance

Once a year, a new DS key is generated. The registry needs to be given the new DS key in order for the rollover to occur. Here is the information and the steps you need to follow in order to perform this annual maintenance. Click here for more information on Registering DNSSEC For Your Domain.

See Update DNSSEC for additional information about key generation.

1. One week prior to expiration, a new KSK and DS key are generated.
Note: You may receive an email notification prior to the key generation date or expiration date.

2. Upload the new DS record to your registrar and remove the old DS record.
3. You can test to see if the registry has the new DS record by doing a dig ds +trace.
4. The new DS key should be in the information you receive.
5. The DS key in the dig +trace should match what Dyn’s Managed DNS shows for your domain.


↑ Table of Contents ↑

Algorithms and Digest Types


Algorithm # Name Status
3 DSA/SHA1 Optional
5 RSA/SHA-1 Mandatory
6 DSA-NSEC3-SHA1 Not Available for Dyn’s DNSSEC Service
7 RSASHA1-NSEC3-SHA1 Not Available for Dyn’s DNSSEC Service
8 RSA/SHA-256 Optional
10 RSA/SHA-512 Optional

↑ Table of Contents ↑


Digest Types
# Digest Type Status
1 SHA-1 Mandatory
2 SHA-256 Supported (Optional)

↑ Table of Contents ↑