Renewal of the DS/DNSKEYS

fodes · January 19, 2024, 10:38pm

Hello together,

I need deSEC as a DNS provider with DNSSEC. I have a domain without web hosting that I only use as a mail address with my own domain at a mail provider that also supports DANE. Since my domain provider does not support DNSSEC, I registered with you, entered your NS servers at my domain DNS settings and gave my domain provider the DS/DNSKEYS, who entered/forwarded them accordingly to the registrar. According to the test on https://www.hardenize.com/ dane is now supported.
What is not yet clear to me:

when does the DS/DNSKEYS change and do I then always have to notify my domain provider of the change? How do I find out about a change?
do I need an SSL certificate for this use case?

Thank you for your reply in advance and thank you for your commitment.
Fodes

peter · January 22, 2024, 11:11am

Hi Fodes,

Thanks for your message, and welcome to deSEC!

We’re not planning on changing keys unless the algorithm needs to be changed. We don’t expect this to happen in the foreseeable future.

Yes, unless your parent domain support DNSSEC automation (which isn’t very common, unfortunately).

We would inform you via email.

It’s unclear which use case you mean, but for anything mentioned in this thread, you don’t need a TLS certificate. (DS records have nothing to do with them, and for email it seems like your provider is in charge.)

Stay secure,
Peter