Table of Contents

DNSSEC



What is it?

DNSSEC is a security extension of the DNS protocol. It digitally signs the information published by DNS with a set of cryptographic keys, making it harder to fake, and thus more secure.

Il It is strongly recommended that you do not enable this option unless you have a good understanding of what it is and does: you could easily make your domain name inoperative.

How to Install DNSSEC on Your Domain Name

The interface for managing DNSSEC is available on the management page of your domain name. If your extension is eligible, you will find a link called “Manage DNSSEC” in the “Name Servers”, section, in the bottom right. You must first generate your keys. The most common method is to use the command-line tool called dnssec-keygen, distributed by the SAI, which you can run in a console session. Tutorials are available online that describe the use of this command.

Once you have generated your key, please test the server to be sure that it is working properly before continuing. When you are sure that it is behaving as expected, then submit the public key to the Registry, via the interface at Gandi:

 Key entry screen

The system will validate your key, and then send it to the registry associated with your domain name.

We left open the possibility of injecting up to 4 keys via the interface at Gandi. Obviously, it is possible to delete a given key at any time. When at least one key is active, you can simply add a new one just below the last.

 Key add screen

Once your key is accepted by the registry, signed DNS requests will be honored.

You can not add DS keys as we compute it for you with the KSK or ZSK, then we send it to the registry.

Who can use DNSSEC?

This list has been moved to our v5 wiki at the following page: https://doc.gandi.net/en/domains/dnssec#who_can_use_dnssec