1. Login to https://portal.ultradns.com
2. Click Domains
3. Click on the domain that you wish to enable DNSSEC on
4. Ensure that you have a DNSSEC tab (which will be to the right of the Records tab)
- If there is no DNSSEC, contact Customer Support so that they can enable DNSSEC management on your account or provide contact details for a user with the required permissions
- Zone will now be signed at the authoritative level (UltraDNS), however DNSSEC capable servers will not validate your zone.
- Every record in a DNSSEC-enabled zone is signed, so responses to a query for a record include the record and an RRSIG record; this increases the record query count..
- The zone will now be signed and DNSSEC capable servers will validate your zone. At this point the signing is done and the zone will become secure.
When DS records are going to expire, no notification is sent to customer because the signatures will be automatically regenerated before expiration.
After signing the zone UltraDNS takes care of ZSK rollover and signature regeneration at every 30 days.
KSK rollover is performed on demand of customer by on-call support and during KSK rollover, DS records are required to be changed at registry.
Note: As of September 2019, a new form of signing called On the Fly signing is implemented. This new signing method is applied to any new zones created after September 13th, 2019, or to those zones that are unsigned, and then signed again. If you need assistance with updating your zones please open a support case and we will be glad to assist.
On the Fly signing removes the previous signing restrictions, and also provides an automatic resigning capability whenever changes are made to your zone. The new signer supports all advanced features - SiteBacker, Traffic Controller, Simple Failover, Simple Load Balancing, Resource Distribution, Directional and Apex Alias.