DNSSEC

DNSimple does not support Secondary DNS if you have DNSSEC enabled. They will not work in conjunction. Please ensure that you are not currently using DNSSEC, or disable DNSSEC before using Secondary DNS. You can read more about the complexities of multi-signer DNSSEC models in RFC 8901.

Table of Contents


DNSSEC (Domain Name System Security Extensions) provides a way to cryptographically build a chain of trust from the root name servers to authoritative name servers. Authenticating resolvers may verify this chain of trust to ensure the DNS results weren’t tampered with while in transit. Check out our comics for a fun explanation of why we need DNSSEC.

DNSSEC scenarios

There are a variety of scenarios that DNSimple facilitates to ensure that your zone is signed. Use the scenarios below to understand how to configure your domain/zone.

Scenario 1: Registered and DNS-hosted at DNSimple

  1. Enable DNSSEC for automatic zone signing, provisioning, and key rotation.

Scenario 2: Registered at DNSimple, but DNS-hosted elsewhere

  1. Set up DNSSEC through your external DNS provider.
  2. When you have the DNSSEC details, add them to your domain’s registrar using our DS management page.

Scenario 3: Registered elsewhere, but DNS-hosted at DNSimple

  1. Enable DNSSEC to sign your zone. This initiates automatic key rotation.
  2. After enabling, copy the DS record details over to your domain’s registrar.
  3. When the key rotates every three months, we’ll send you an email with the details, which you’ll need to supply to your domain’s registrar.

Managing DNSSEC

DNSSEC is applied on a per-domain basis. DNSSEC management options are under the DNSSEC tab on a domain’s management page.

screenshot: edit dnssec link

Managing DS records

You’ll be able to manage your records whether the TLD requires the DS records to be set up with the DS-Data interface or the KEY-Data interface. Read more about managing DS records.