Yes, we support DNSSEC for most top level domains, including
.com and
.net.
DNSSEC is a standard that was developed to make domain name lookups more secure and resistant to attacks. DNSSEC protects against several known weaknesses in the DNS protocol, including "DNS spoofing" or "cache poisoning". For more information about DNSSEC, how it works and why it is a good idea to have it turned on for your domains, please see Wikipedia.
If you are using Domainnameshop's nameservers, then configuration of DNSSEC is fully automatic. All you need to do, is to select that you want DNSSEC turned on in the control panel. If, on the other hand, you are using your own nameservers, then you will have to handle key generation, key rollover and zone signing yourself, and upload DNSSEC data manually via the control panel each time you change DNSSEC keys. Alternatively, you can use CDS/CDNSKEY to signal changes in DNSSEC parameters.
DNSSEC is turned on by default for all domains that are using Domainnameshop's nameservers. To switch on/off DNSSEC manually for a particular domain, please do the following:
- Login at www.domainnameshop.com/login
- Click "My domains"
- Click on the domain in question
- Click on the tab "Nameservers" at the top
- Check (or uncheck) the option "Use DNSSEC"
- Click the "Change" button
To take advantage of the added security that DNSSEC provides on your own computer, you must configure it to use a set of name servers that perform DNSSEC validation. So far, not all Internet access providers have turned on DNSSEC validation on their name servers. You can check yourself if you have DNSSEC turned on or not by going to:
If you are unable to connect to this site, then DNSSEC validation is properly configured on your computer. If you are able to connect, then DNSSEC is either disabled or incorrectly configured, and you should contact your Internet access provider and ask them to turn on DNSSEC validation. Alternatively, you can use Cloudflare's (1.1.1.1) or Google's (8.8.8.8) nameservers instead, as they both perform proper DNSSEC validation.
To avoid downtime for a domain when changing name servers, we recommend that you turn off DNSSEC at least 24 hours in advance, and wait at least 24 hours after the name servers have been changed before turning on DNSSEC again. This prevents clients who have cached the old DS records from failing DNSSEC validation, if the new name servers use different DNSSEC keys than the old ones.
To debug DNSSEC issues or just check that the name servers for a domain are configured correctly, we recommend the following tools:
For the technically inclined, we can inform that we sign all DNSSEC zones using algorithm 13 (ECDSAP256SHA256) or 15 (ED25519) with NSEC3. The signatures have a lifespan of 30 days, and the keys are rolled every 3 months (ZSK) and 12 months (KSK). It is not possible to specify individual parameters or algorithms when using DNSSEC on Domainnameshop's name servers.