Table of Contents


What is it?

DNSSEC is a security extension of the DNS protocol. It digitally signs the information published by DNS with a set of cryptographic keys, making it harder to fake, and thus more secure.

Il It is strongly recommended that you do not enable this option unless you have a good understanding of what it is and does: you could easily make your domain name inoperative.

How to Install DNSSEC on Your Domain Name

The interface for managing DNSSEC is available on the management page of your domain name. If your extension is eligible, you will find a link called “Manage DNSSEC” in the “Name Servers”, section, in the bottom right. You must first generate your keys. The most common method is to use the command-line tool called dnssec-keygen, distributed by the SAI, which you can run in a console session. Tutorials are available online that describe the use of this command.

Once you have generated your key, please test the server to be sure that it is working properly before continuing. When you are sure that it is behaving as expected, then submit the public key to the Registry, via the interface at Gandi:

 Key entry screen

The system will validate your key, and then send it to the registry associated with your domain name.

We left open the possibility of injecting up to 4 keys via the interface at Gandi. Obviously, it is possible to delete a given key at any time. When at least one key is active, you can simply add a new one just below the last.

 Key add screen

Once your key is accepted by the registry, signed DNS requests will be honored.

You can not add DS keys as we compute it for you with the KSK or ZSK, then we send it to the registry.

Who can use DNSSEC?

Anyone technical enough to generate the keys themselves, and set them up. You need to be able to manage and administer your own DNS, because our hosted DNS does not allow you to manage DNSSEC directly. Our secondary DNS,, poses no problem, however, so you can set up your own primary and allow ns6 to obtain the zone file as usual. Finally, some extensions do not support DNSSEC or have not yet been implemented under the method we use at Gandi. Your domain name must be in one of these extensions:

Some extensions can handle DNSSEC, but are not yet instrumented to work with Gandi. The following extensions will be added in an upcoming release (feel free to write to our support if you would like us to support an extension in particular):