Enabling DNSSEC for your domain
Enabling DNSSEC for your domain
DNSSEC adds cryptographic signatures to your DNS records, protecting against cache-poisoning attacks where attackers forge DNS responses and redirect your traffic. Once enabled, resolvers can verify that DNS answers genuinely come from your zone.
Enabling DNSSEC
- Go to Domains and open your domain
- Click the Security tab
- Find the DNSSEC card, it shows the current status (Disabled, Pending, or Active)
- Click Enable DNSSEC
- Status changes to "Pending" while the keys are generated
DNSSEC statuses
| Status | Meaning |
|---|---|
| Disabled | DNSSEC not configured |
| Pending | Keys being generated and published |
| Active | DNSSEC live and signing your zone |
Adding the DS record to your registrar
For DNSSEC to work end-to-end, the DS (Delegation Signer) record must be registered at your domain's registrar. Once DNSSEC is enabled, the Security tab shows the DS Record details:
- Key tag, numeric identifier
- Algorithm, cryptographic algorithm number
- Digest type, hash type used
If your domain is registered at Kapsule, the DS record is submitted to the registry automatically, no action needed.
If your domain is registered elsewhere, copy the DS Record values and add them at your external registrar. The exact steps vary by registrar, but you're looking for a "DNSSEC" or "DS Records" section in their DNS management.
Disabling DNSSEC
- Go to the Security tab of your domain
- Click Disable in the DNSSEC card
- Remove the DS record from your registrar if it was added externally
Wait before disabling: DNS propagation can take up to 48 hours. Disabling DNSSEC while the DS record is still in place can cause validation failures. Remove the DS record at your registrar first, wait for TTL to expire, then disable here.