In this article, you will learn:
- What is DNSSEC
- Jak DNSSEC nastavit na doméně
- Jak DNSSEC nastavit hromadně
- Common issues
- Frequently asked questions
DNSSEC
DNSSEC is a method of securing a domain against DNS spoofing attempts. It uses security keys to ensure that the information obtained from the DNS is complete, provided by the correct source, and has not been tampered with by any third party during transmission.
You can set up DNSSEC for all domains that support it:
- all CZ and EU domains that we register;
- all SK and gTLD (including nTLD) domains that we register but do not use our DNS servers.
PL domains do not currently support DNSSEC.
DNSSEC Setup
Setting up DNSSEC security usually takes up to 6 hours.
You can set up DNSSEC under the following conditions:
- CZ and EU domains must be registered with us and may or may not use our DNS servers.
- SK domains and generic domains (COM, NET, WEBSITE, …) must be registered with us, but they must not use our DNS.
Follow these steps to enter DNSSEC settings:
- Log into the customer administration panel.
- In the navigation bar, select Domains.
- Select the domain you want to set up DNSSEC for.
- In the left menu, select DNSSEC Setup.
Next, follow the instructions according to your domain TLD:
DNSSEC for CZ and EU Domains
We offer a complete DNSSEC solution for CZ and EU domains. In this case, both the domain and the DNS servers (NSSET) must be managed by WEDOS.
In the DNSSEC interface, check the Enable WEDOS DNSSEC option and click the Set DNSSEC button.
For these domains, you can also allow future automatic WEDOS DNSSEC setup, in case the system detects problems with DNSSEC.
If you are not using WEDOS DNS servers (NSSET), you can use an existing custom KEYSET, or create and use your own. Signing DNS records on DNS servers is handled by the DNS service provider or the domain administrator (customer).
DNSSEC for SK and gTLD Domains
For SK, gTLD and nTLD domains, we offer the option to activate DNSSEC, but you must have DNS servers set up with another provider. You also need to obtain Digest or Public keys from this provider (if they support DNSSEC). Signing DNS records on DNS servers is handled by the DNS service provider or the domain administrator (customer).
In the DNSSEC interface, follow these steps:
- Check the Use Own DNSSEC Keys option.
- Select key type and enter the appropriate values.
- Save by clicking the Set DNSSEC button.
Deactivate DNSSEC
In the DNSSEC setting interface, check the Disable DNSSEC option and click the Set DNSSEC button.
Bulk DNSSEC Setup
Currently, only CZ and EU domains that are registered with us support bulk DNSSEC settings. We recommend using our DNS servers.
To set up DNSSEC in bulk, follow these steps:
- Log into the customer administration panel.
- In the navigation bar, select Domains.
- Check the CZ and EU domains you want to set DNSSEC for.
- In the bottom part of the table, select Set Up DNSSEC.
- Click the Perform button.
In the following wizard, enter the desired settings and confirm with the Complete button.
Common Issues
Common DNSSEC issues include:
SK or gTLD with WEDOS DNS
Issue: There is an error message: DNSSEC for this domain is only enabled when using foreign DNS servers. The domain must not use any of our DNS servers.
Cause: You can set DNSSEC on SK and generic domains (COM, NET, ONLINE, …) only if you do not use our DNS servers.
Solution: Change your DNS servers to another provider that supports DNSSEC.
FAQ
Question: Can I use my own KEYSET for CZ and EU domains?
Answer: Yes, as long as you aren’t using our DNS servers.
Question: Why do I have to use third-party DNS servers for generic domains?
Answer: For gTLD domains, it is not possible for us to sufficiently automate the DNSSEC setup process for technical reasons. CZ and EU domain registries support KEYSET type objects, thanks to which we can rotate DNSSEC keys in the parent zone for all affected domains with one command. With other registries, we would have to change the keys individually for each domain, and in some cases this may not even be possible due to potential domain restrictions imposed by the registry. Failed key rotation could then cause the domain to be unavailable due to a broken DNSSEC key chain.
Question: How does disabling DNSSEC work?
Answer: The system sends the command to remove DNSSEC keys from the parent zone to the registry immediately. If the domain uses our DNS servers, you wait for the TTL DNSSEC keys in the parent zone to expire. After the TTL expires, the system will remove the zone signature on our DNS servers, thus completing the request to disable DNSSEC for the domain. While this request is being processed, you cannot change the DNSSEC settings for the domain in any way.