What must I do to sign my DNS records


What must I do to sign all my DNS records with DNSSec. Must I create 3 DS records in my create zone with the keys a got?

Any help is welcome.

Dear Ron, deSEC signs all your records automatically. You can check the signature status with some online tools, e.g. the verisign DNSSEC analyzer, https://dnssec-analyzer.verisignlabs.com/.


I checked my domain name with that tool and there I got an error message:
No DS records found for {domain} in the com zone

So that is why as was asking If I had to publish some DS keys.

I’ve solve the problem. The 3 DS key I got I had to publish by my domain registar.

Hi. No need to record the three keys together in a domain registrar. I am using only sha-256. You can control your ds records https://zonemaster.iis.se/en/

Thanks for this info.

I noticed it also more secure, not to use the SHA-1 key anymore.

There are serveral warnings, I got with from different tools.

|Warn| SOA MNAME entry | WARNING: SOA MNAME (set.an.example) is not listed as a primary nameserver at your parent nameserver!|
|Warn| SOA Serial |Your SOA serial number is: 2020065239. This can be ok if you know what you are doing.|
|Warn|SOA RETRY|Your SOA RETRY value is: 86400. That is NOT OK|

The nmane field is not filled in correctly:
No IP address found for SOA ‘mname’ nameserver (set.an.example).

The value of this field is set.an.example, not a real address.

Could that be solved?

Hi Ron,

Those issues are non-issues: The SOA retry value is perfectly fine. For the mname value, see Invalid SOA record.

Stay secure,