ResellerClub - DNSSEC (Domain Name System Security Extensions)

Domain Name System Security Extensions (DNSSEC) is a technology developed to protect against malicious activities like cache poisoning, pharming, and man-in-the-middle attacks.

Adding and Deleting Delegation Signer (DS) Records

A Delegation Signer (DS) Record contains the digital signature information for your domain name's DNS and is used to identify the DNSSEC signing key of a delegated zone. The DS Record for your domain name can be managed from its Order Details view, within your Control Panel.

Note: ResellerClub currently supports DS Records for the following domain name extensions only:
  • .com
  • .in
  • .me
  • .net
  • .org

Adding a DS Record

  1. Login to your Control Panel, search for the domain name and proceed to the Order Information view.
  2. Click the DNSSEC link.
  3. This will display the Manage DNSSEC view.
    Note: If you have already added DS Records, you would click the Add Records button to proceed.

Provide information for the following fields and then click the Save button:

  • Key Tag: Contains the tag value of the DNSKEY Resource Record that validates this signature (an integer value in the range 0 to 65536).
  • Algorithm: The cryptographic algorithm that is used to generate the signature.
  • Digest Type: The algorithm type used to construct the Digest. Applicable values are 1, 2 & 3 for .com/.net and 1 & 2 for other domain name extensions.
  • Digest: An alphanumeric string generated by applying the Digest Type algorithm to a message. Requires a 40-character string for Digest Type value 1 and a 64-character string for Digest Type values 2 and 3.

Deleting a DS Record

  1. Login to your Control Panel, search for the domain name and proceed to the Order Information view.
  2. Click the DNSSEC link.
  3. Click the Delete link under the Action column, corresponding to the DS Record you wish to delete.
  4. Confirm the deletion by clicking the OK button.

How Does It Work?

DNSSEC adds digital signatures to a domain name's DNS to determine the authenticity of the source domain name. It provides a set of extensions to DNS that provides to DNS clients (resolvers):

  1. Origin authentication of DNS data.
  2. Authenticated denial of existence.
  3. Data integrity.

DNSSEC uses a digital signature to create a chain of authority. It then uses the chain to verify that the source domain name, which the DNS resolver returns, matches the DNS record stored at the authoritative DNS. If it cannot validate the source, it discards the response. This ensures that the user is connecting to the actual address for a domain name.