Adding DNSSEC with PowerAdmin
Posted by Aidil A. on 01 August 2023 02:52 PM
The Domain Name System Security Extensions (DNSSEC) are a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol provides cryptographic authentication of data, authenticated denial of existence, and data integrity, but not availability or confidentiality.
DNSSEC works by digitally signing records for DNS lookup using public-key cryptography between nameservers, domain registrar and the zone operator (domain registry). The correct DNSKEY record is authenticated via a chain of trust, starting with a set of verified public keys for the DNS root zone which is the trusted third party. Domain owners generate their own keys, and upload them using their DNS control panel at their domain-name registrar, which in turn pushes the keys via secDNS to the zone operator (e.g., Verisign for .com) who signs and publishes them in DNS.
Notes before proceed further!!!
Our DNS servers uses algorithm 13 aka ECDSAP256SHA256, Elliptic Curve Digital Signing Algorithm (ECDSA). IETF (Internet Engineering Task Force) is highly recommend to use this algorithm. For further information regarding DNSSEC usage, do refer following article:
Unfortunately, not all domain registrar support this algorithm. If turned out your domain registrar really does not support this type of algorithm, you will have 2 options:
1- change domain registrar - transfer your domain to another domain registrar that support algorithm 13 or ECDSAP256SHA256. Or;
2- lower the algorithm at DNS server only if the DNS server has the option.
Login into PowerAdmin portal
Login into PowerAdmin DNS portal.
Look for the zone you intend to enable DNSSEC.
Sign the zone
Click Sign this zone if DNSSEC for the target zone not yet enable.
Once signed, following option buttons will be available.
DNSSEC = click this button to view DS keys
Unsign this zone = click this button if intend to disable DNSSEC signing
Clicking on DNSSEC button, will present you algorithm format being used for the DS keys.
There's no need to add another key if there's already exist one.
Click on Show DS and DNSKEY button to view all DS keys.
Identify DS keys
You maybe presented with several DS keys. However, only 1 DS key is needed and the most recommended.
Under DS record section, the DS keys meaning as follows:
1st DS record:
Record Type: DS
2nd DS record:
Record Type: DS
In this example, Digest type 4 (SHA-384) is the most recommended.
With this DS record, login into domain registrar portal and input these keys.
If you don't have the access or login credentials, do request assistance from their support then.
Verify DNSSEC for the domain
You may need to wait for the new records to propagate as this also involve in DNS propagation.
On mean time, you may use online DNSSEC checker such as DNSSEC Analyzer by VeriSign.
Enter the target domain name into Domain Name box and simply press Enter.
If the keys correctly entered and DNS propagation reached, you will getting all green checkmarks.
This means, DNSSEC protection for the domain name is good to go.
Your task is completed at this point.
If getting errors similar as following:
This simply means that at domain registrar side, there are no DS record. Hence, no DNSKEY found.
At nameserver side, DS key (denote by No RRSIGs found) is not exist. Its either DNSSEC option is not enable or the DS key being deleted.
Enable DNSSEC option for the domain at nameserver side, get the DS key and input it in the domain registrar side.
Possible Error #2
Another common error:
This tells that at domain registrar side, there are no DS record being set aka not exist.
Though at nameserver side, the DNSSEC option is already activated for the said domain name (denote by Found 1 RRSIGs over A RRset)
Get the DS key from the domain's nameserver and enter it at domain registrar side.
Alternative method verifying DNSSEC for a domain name
Quickest way to verify the website you've visited protected by DNSSEC is to use browser's plugin DNSSEC checker.
Download and install DNSSEC Checker from Chrome web store.
Pin the plugin at the URL taskbar. If the site or domain has DNSSEC enabled, this plugin will be highlighted.
If the site or domain are not protected by DNSSEC, the plugin will remain grayed.
For Firefox, use plugin DNSSEC from Antoine Popineau.
The plugin will dock at the URL bar. Any visited website or domain, the plugin will notify by its color.
If glow in green, meaning the website is protected by DNSSEC.
Click on the DNSSEC icon, will tells you more information.
If the site is not protected by DNSSEC, the icon will remain red in color.
If you face any difficulties on the setup, please feel free to contact our support team by submitting a ticket on https://247livesupport.biz or emailing out support team at firstname.lastname@example.org.