Setting up DNSSEC for Domains

We enable the setting up of DNSSEC for CZ, EU, SK, generic domains and new gTLDs (for example, online, store, fun and others according to our current selection) and only for those for which we are a registrar. For generic, SK and new gTLD domains, we only allow the set up of DNSSEC if they aren’t using our DNS servers.

Using DNSSEC is completely free as is changing it’s settings.

Setting up DNSSEC

To set up DNSSEC for your domain, please follow these steps:

  1. Log in to your account in the customer administration (
  2. Select the Domains tab
  3. Open the details of a specific domain
  4. In the left column, click on the DNSSEC settings link

There are several options for setting up DNSSEC:

  1. Not using DNSSEC – the default option, the domain is not protected by DNSSEC.
  2. Using WEDOS DNSSEC – can be used only for domains that use our DNS servers. In this case when activating DNSSEC, DNS records are signed by our keys and will be set by our KEYSET for the domain. We also care about the appropriate replacement of keys. The customers do not need to care for anything. Cannot be used for generic, SK and new gTLD domains.
  3. Using your own KEYSET – can be used only for domains that do NOT use our DNS servers and support KEYSETs (CZ, EU). Here the customer can set up any KEYSET for the domain, but they must ensure the signing of DNS records on DNS servers.
  4. Creating and using your own KEYSET – this is identical to the previous option, except that it is possible to create a KEYSET directly by entering your own DNSSEC keys.
  5. Using your own DNSSEC keys – can only be used for domains that do not use our DNS servers and do not support KEYSETs (generic domains and new gTLDs). Here you can set your own DNSSEC keys (of the Digest or DNSKEY type) for the domain, which must be obtained from the DNS server provider of the domain (if it supports DNSSEC). The DNS service provider or the customer themselves must take care of the signing of DNS records on the DNS servers.

Setting up DNSSEC is a time-consuming procedure. It may take several hours before any change in the settings will take effect. So after setting it up, you to need to wait patiently.

Setting up DNSSEC in Bulk

In the customer administration, it is also possible to set up DNSSEC in bulk for multiple domains at once. In the list of domains, select the ones for which you want to make the change, and at the bottom of the drop-down list, select the actions with the selected items: DNSSEC settings, and then follow the instructions in the wizard. For generic domains, it is not possible to set up DNSSEC in bulk.

Check DNSSEC Functionality

To check the settings and correct functionality of DNSSEC for a domain, we recommend the DNS visualization tool – a tool for analysis and graphical representation of DNS records and DNSSEC keys and their status.

Cancelling DNSSEC

  1. the domain does not use our DNS servers – the command to remove DNSSEC keys from the parent zone is sent to the registry immediately
  2. the domain uses our DNS servers – the command to remove DNSSEC keys from the parent zone is sent to the registry immediately. Subsequently, the TTL of the DNSSEC keys in the parent zone is waiting to expire. After the TTL expires, the zone signature on our DNS servers will be removed, thus completing the DNSSEC cancellation request for the domain. It is not possible to change the DNSSEC settings for the domain in any way during the processing of the DNSSEC cancellation request.
Děkujeme za zpětnou vazbu!