DN Records + DNSSEC

You should only use / consider DNSSEC if you are comfortable with DS records and DNSSEC. When you manage DS records, the domain will stop resolving correctly if your name servers are not configured correctly with the associated DNSSEC resource records.

Alot of this stuff is really hard to understand, and not even Von understands this stuff completely. I don’t think anyone truly understands this 100% either…

Matt G.

If you have questions about DNSSEC, or if you have trouble after requesting or changing DS records you will need to provide ultra clear instructions on what you want to achieve.

You need four things to properly configure DS Records:

  1. Digest
  2. Key Tag
  3. Digest Type
    • SHA-1
    • SHA-256
    • GOST R 34.11-94
    • SHA-384
  4. Algorithm
    • RSA/MD5
    • Diffie-Hellman
    • DSA/SHA-1
    • Elliptic Curve
    • RSA/SHA-1
    • DSA-NSEC3-SHA1
    • RSASHA1-NSEC3-SHA1
    • RSA/SHA-256
    • RSA/SHA-512
    • ECC-GOST
    • ECDSA Curve P-256 with SHA-256
    • ECDSA Curve P-384 with SHA-384
    • Indirect
    • Private DNS
    • Private OID

Digest Type options for DS Records
Algorithm options for DS Records

Helpful links: