DNSSEC is a system by which you can create a security signature on the DNS queries to your zone. This enables the querying system to verify that the information received is the correct DNS information based on the security signatures.
Does My Domain Support DNSSEC?
Any Top Level Domain (TLD) that supports DNSSEC can run DNSSEC from Dyn’s Managed DNS network. The Internet corporation for Assigned Names and Numbers (ICANN) tracks TLD domains that support DNSSEC here: DNS TLD Report. Dyn can also serve as your domain registrar. We support DNSSEC and can act as domain registrar for the following TLDs: .com, .net, .org, .biz, .cx, and .se.
Any domain with Dyn’s advanced DNS products, such as Traffic Director, will not support DNSSEC. This is because advanced products, such as Traffic Director, supply DNS information based on dynamically calculated information, user location, for example. DNSSEC is designed to support static DNS resolution requests. If you try adding DNSSEC to a domain with an advanced product, you will see an error “Another Service In the Way”.
Adding and Maintaining DNSSEC
Setting Up DNSSEC on Your Zone includes:
- Creating your Zone Signing Keys (ZSK) record
- Creating your Key Signing Keys (KSK) record
- Creating your Delegated Signer (DS) record