DNSSEC / Delegation of Signing (DS) Records

How do I attach a DS record to my domain?

To do this open a support ticket using the primary account holders email address and request DS records be attached for your domain name.

 

The DS record may look like this and there could be more than one;

yourdomain.com.au. IN DS 1234 13 2 8C1CCE201FA1E45302E7EC794A1056C12763D4D45D5A61719CF135E26ABB0173
yourdomain.com.au. IN DS 4321 13 2 44C8F8E727A8248E64EC915DA537745BD8E734A3D6A3F2116E59A447B1292D7B

You can also supply the records like this;

Key Tag: 1234
Algorithm: 13
Digest Type: SHA256
Digest: 44C8F8E727A8248E64EC915DA537745BD8E734A3D6A3F2116E59A447B1292D7B

Please keep in mind it can take a little while to add these records, some name spaces are faster than others e.g. .au is typically one business day.  .com can take several days.  Also take note of when your KSK is due to expire as you will need to supply a replacement record before the old one expires.

 

What name spaces support DS records?

Most name spaces now support DS records, however we currently only add them for .au, .com, .net.  If you have DS records for other name spaces please get in contact for us to confirm as some name spaces have slightly different requirements.


Notes:

Key Tag - This is an integer value less than 65536 used to identify the DNSSEC record for the domain name. e.g. 1234
Algorithm - This identifies the cryptographic algorithm used to generate the signature. expressed as a number from a table.  e.g. 13 = ECDSA Curve P-256 with SHA-256
Digest Type - This identifies the algorithm used to construct the digest, expressed as a number from a reference table.  e.g. 2 = SHA-256
Digest - This is the digest integer value.  The long string of letters and numbers.