Enabling DNSSEC - Illevante Cloud

title: Enabling DNSSEC created at: Tue Oct 22 2024 17:43:08 GMT+0000 (Coordinated Universal Time) updated at: Tue Oct 22 2024 18:05:37 GMT+0000 (Coordinated Universal Time) --- # Enabling DNSSEC # Enabling DNSSEC ![media\_Enabling%20DNSSEC/aubXPoaSDCaqfb-link-solid.svg](media_Enabling%20DNSSEC/aubXPoaSDCaqfb-link-solid.svg) DNSSEC activation involves several steps: 1. the system checks the maximum TTL in the domain zone; 2. signs the domain zone; 3. generates a chain of trust. # Checking the maximum DNS TTL ![media\_Enabling%20DNSSEC/\_GATcae3LoMJel-link-solid.svg](media_Enabling%20DNSSEC/_GATcae3LoMJel-link-solid.svg) The maximum DNS TTL must be less than 2 weeks. The default value is 3 hours. To set the maximum TTL, navigate to **Domains** →\*\* Domain names\*\* →\*\* **select a domain → click **Records** →** TTL, sec\*\*. The default value is 1 hour (3600 sec). # Signing domain zone To sign a domain zone, go to **Domains **→** Domain names** → select a domain → click **Edit → Sign domain**. The system will start a background process to sign the domain zone. KSK and ZSK will be generated according to the specified parameters. When signing the domain zone, you will see the icon ![media\_Enabling%20DNSSEC/q0jVpGFEbiyhFz-p-info.png](media_Enabling%20DNSSEC/q0jVpGFEbiyhFz-p-info.png) in the \*\*Status \*\*column. You cannot **Edit** or **Delete** the domains during that process. Once the system signs the domain zone you will see the notification icon ![media\_Enabling%20DNSSEC/iAGfhxuoD8qFgi-p-lt4.png](media_Enabling%20DNSSEC/iAGfhxuoD8qFgi-p-lt4.png) in the \*\*Status \*\*column. The "Unpublished DS-records" banner in the panel interface and the **DNSSEC** button will become active for the domain. The domain zone signing function is available only to "Users" and "Administrators". # Creating a chain of trust To create a chain of trust, you need to transfer DS-records (or even DNSKEY-records KSK, depending on a registrar) into the parent zone. You can see the information about the main key parameters and their DNSKEY and DS records in **Domains** → **Domain names** → select a domain → **DNSSEC.** The following data are displayed for every DS-record: * Start of record — beginning of the DS-record; * Tag — KSK-key identifier; * Algorithm — encryption digest identifier; * Digest type — digest type identifier; * Digest — digest content. Show DNSKEY — click the button to see a table with DNSKEY-records. The following data are shown for every record DNSKEY-record: * Start of record — beginning of the DNSKEY-record; * Flags — key type identifier; * Protocol — DNSSEC protocol number; * Algorithm — encryption algorithm identifier; * Public key — public part of the key; * Tag — KSK-key identifier. DS-records are sent in one of the following ways: 1. Add records in the domain control panel interface on a registrar side. If records should be added in the form of strings on the registrar side, you need to group the values of all columns of the DS-record table in ISPmanager. Do not forget to add spaces between them. 2. If the domain zone is located along with the parent zone on the same server managed by [DNS management Portal](https://dns.illevante.com/) , on the **DNSSEC parameters** page, you will see the **Send DS-records to the parent zone** button. Click the button to pass the DS-records. 3. If the domain is the parent for the domain on the remote server, create the DS-records of the child domain: **Domain names → Records → Add**. Learn more in [DNS records](https://help.illevante.com/p/6WXF2Riyeez_-z/DNS-Records) . Once in 24 hours, [DNS management Portal](https://dns.illevante.com/) checks DS-records in the parent zone. At least one DS-record for every KSK must be sent. Once completed, the warning in the **Status** column will change into the icon ![media\_Enabling%20DNSSEC/iZeQ24A5XuQMQA-sss.png](media_Enabling%20DNSSEC/iZeQ24A5XuQMQA-sss.png) confirming that the domain is protected with DNSSEC.