- Login to UltraDNS
- Click Domains
- Click on the domain that you wish to enable DNSSEC on
-
Ensure that you have a DNSSEC tab (which will be to the right of the Records tab)
- If there is no DNSSEC, contact Customer Support so that they can enable DNSSEC management on your account or provide contact details for a user with the required permissions
-
Under Zone Status click Sign
- Zone will now be signed at the authoritative level (UltraDNS), however DNSSEC capable servers will not validate your zone
- Every record in a DNSSEC-enabled zone is signed, so responses to a query for a record include the record and an RRSIG record; this increases the record query count
-
Provide the two DS Records listed under DS Resource Records to your registrar so that they can add them to the appropriate registry
- The zone will now be signed and DNSSEC capable servers will validate your zone. At this point the signing is done and the zone will become secure
Additional Information
- When DS records are going to expire, no notification is sent to customer because the signatures will be automatically regenerated before expiration
- After signing the zone, UltraDNS takes care of ZSK rollover and signature regeneration at every 30 days
- KSK rollover is performed on demand of customer by on-call support and during KSK rollover
- DS records are required to be changed at registry.