DN Records + DNSSEC

You should only use / consider DNSSEC if you are comfortable with DS records and DNSSEC. When you manage DS records, the domain will stop resolving correctly if your name servers are not configured correctly with the associated DNSSEC resource records.

Alot of this stuff is really hard to understand, and not even Von understands this stuff completely. I don’t think anyone truly understands this 100% either…

Matt G.

If you have questions about DNSSEC, or if you have trouble after requesting or changing DS records you will need to provide ultra clear instructions on what you want to achieve.

You need four things to properly configure DS Records:

  1. Digest
  2. Key Tag
  3. Digest Type
    • SHA-1
    • SHA-256
    • GOST R 34.11-94
    • SHA-384
  4. Algorithm
    • RSA/MD5
    • Diffie-Hellman
    • DSA/SHA-1
    • Elliptic Curve
    • RSA/SHA-1
    • DSA-NSEC3-SHA1
    • RSA/SHA-256
    • RSA/SHA-512
    • ECC-GOST
    • ECDSA Curve P-256 with SHA-256
    • ECDSA Curve P-384 with SHA-384
    • Indirect
    • Private DNS
    • Private OID

image 1
Digest Type options for DS Records
best edge flags for max performance
Algorithm options for DS Records

Helpful links:

Tagged: ,

  • Author
    • #167129

      DNS Security is something that is very powerful, and not widely used or understood. Using the DNSSEC Protocol is awesome and you should use it.

      [See the full post at: DN Records + DNSSEC]

  • You must be logged in to reply to this topic.