How to Setup DNSSEC for my New Custom Domain?

nils · April 3, 2020, 5:06pm

Hi,

I registered nils-wisiol.de with deSEC and setup my records via the API, however Verisign’s DNSSEC analyzer tells me that DS records are missing and hence DNSSEC cannot be verified.

What do I need to do in order to be able to use DNSSEC?

Thanks,
Nils

peter · April 3, 2020, 5:18pm

Hi Nils,

Thanks for your question! To configure DNSSEC for your domain, you need to provision your public DNSSEC keys with the provider where you registered your domain. Steps:

Retrieve your public DNSSEC keys from our API, by making a GET request to your domain’s endpoint. The API response will contain a “keys” field with DNSKEY and DS entries.
Get in touch with your domain provider and send them your key information. Most providers will be satisfied with the DS entries, but some require DNSKEY.
Finally, use the DNSSEC analyzer to verify that everything is in order.

If you created your domain together with your account, your keys are also displayed on the confirmation page after sign-up. In case you missed that, you can always look them up using the API.

Stay secure,
Peter

NewRedsquare · April 10, 2020, 2:30pm

If our registrar doesn’t support CSK keys, how can i achieve it ? ( He also asks for private key ???)

Here are the options I have :
dnssec1 dnssec2 dnssec3

peter · April 10, 2020, 11:08pm

Hi NewRedsquare,

The “key type” value for CSK keys is identical to KSK keys, so just select KSK, corresponding to the value 257. (The label in the menu is incomplete and should read “KSK/CSK”.) The private key is certainly not required (and our API does not expose it).

If these steps don’t lead to success, please contact your registrar, provide them with the DS and DNSKEY values. They should be able to set things up manually.

Stay secure,
Peter

NewRedsquare · April 12, 2020, 10:35am

The registrar didn’t answered yet. I tried to add myself the keys. I could only successfully add the DNSKEY. It doesn’t work for DS. But i used https://dnsviz.net to check the DNSSEC status of my domain and it seemed to work… can it really work without adding DS keys ?

peter · April 12, 2020, 11:08am

Hi NewRedsquare,

The registrar can compute DS records from DNSKEY, so that’s generally ok. If you tell us your domain name, we can take a look whether everything is configured correctly.

Stay secure,
Peter

Sinus · May 21, 2020, 3:56pm

Hi,

I also have a problem setting up my domain beilmann.net which I registered two days ago via thewebsite desec.io . I sent the given information zo my provider 1blu.de . I can’t see the DS-records, but it seems to me that 1blu has added the keys, at least I’m not able to manage the domain via 1blu custom control any more. And I see, that the NS records ns1.desec.io and ns2.desec.org are set.
But still there is no DNSSEC for my domain, and the DNSSEC analyzer gives an error: “No DS records found for beilmann.net in the net zone” .
So what can I do to use DNSSEC?

Thanks in advance
Matthias

peter · May 21, 2020, 6:46pm

Hi Matthias,

Thanks for your message! Yes, it looks like the NS records are set correctly for beilmann.net, and the DS records are missing.

Unfortunately, there’s nothing we can do to help you with that. Only your domain registrar (= provider where you registered the domain) is able to add the records ~~(and is obliged to do so by your request)~~.

Good luck,
Peter

Sinus · May 27, 2020, 11:00am

Hi Peter,

now the records are set, and all answers of DNSSEC Analyzer are “green”.

But now, there is another problem…
When I try to connect to my domain then I get the answer:

Unable to determine IP address from hostname www.beilmann.net
The DNS server returned:
Name Error: The domain name does not exist.

Can you please tell me, what I made wrong?

Thanks
Matthias

peter · May 27, 2020, 11:33am

I queried your domain name via the DNS, and it looks like you have not created any DNS record sets.

Stay secure,
Peter

Sinus · May 27, 2020, 11:36am

Okay, thank you very much. Seems I have to learn a lot…

reinob · November 12, 2020, 1:37pm

Excuse for butting in
I just joined desec.io with the aim of enabling DNSSEC for a .de domain I own.

Currently I’m using Cloudflare as DNS, and my registrar is contabo.de.
I once tried to enable DNSSEC via Cloudflare, and then asked Contabo to add the DS record, who told me that they do not support DNSSEC.

(original version: “Nach Rücksprache mit unserer technischen Abteilung, müssen wir Ihnen leider mitteilen, dass wir DNSSEC nicht anbieten. Wir können Ihnen hierbei leider nicht behilflich sein.”)

I read about deSEC recently and decided to give it another go, but of course I still need cooperation from the Registrar. That’s where I read your “and is obliged to do so by your request” (my emphasis).

Could you point me to that information?, maybe I could then ask again at my Registrar to add the DS record (and as a bonus I would move the domain from Cloudflare to deSEC

Thanks in advance, and excuse me for “hijacking” this thread, but at least the topic/issue is the same.

peter · November 13, 2020, 10:48pm

Hi reinob,

Thanks for hijacking this thread Welcome to deSEC.

We were in touch with DENIC about this precise question in October 2020, and they told me:

DENIC kann DNSSEC lediglich anbieten, eine Pflicht zur Unterstützung von Providerseite gibt es dafür allerdings nicht.

Thus, the sentence in my previous post was incorrect, for which I’d like to apologize. (That is not to say that no top-level domain (TLD) registries prescribe DNSSEC support for their registrars; I can imagine that to be the case especially for some of the “new” TLDs from 2013 on. I believe I read something along those lines, which probably lead me to the wrong statement.)

I’m afraid you will have to change your registrar then, or be unable to use DNSSEC (which does not exactly speak in your registrar’s favor). If you need suggestions for a registrar and how to do a smooth transition, please shoot us an email at support@desec.io.

Stay secure,
Peter