Understanding and Configuring DNSSEC in ClouDNS


DNSSEC adds an authentication layer to an otherwise insecure DNS infrastructure. It guarantees that visitors are directed to your serve IP when they type your domain into a web browser, thus avoiding man-in-the-middle attacks and other types manipulations during the resolution. You can read more about DNSSEC and its benefits here.

How ClouDNS support and implement DNSSEC?

ClouDNS supports DNSSEC for all DNS products we offer: Premium DNSDDoS Protected DNSGeoDNS, and Private DNS servers.

To activate DNSSEC signing and obtain the domain DS records, you have to log into your control panel and to navigate to the zone. In the zone's control panel you will see a menu in top called "DNSSEC". From this page you can activate or deactivate DNSSEC zone signing and to receive the DS and DNSKEY public records.

Encryption Algorithm

Encryption Algorithm used by the ClouDNS system to sign the zones is 13 - Elliptical Curve Algorithm (ECDSA P-256). This algorithm is considered both as strong and fast compared to the standard RSA keys, which makes your domain name both fast and secure.

Exception: Due to TLD limitations we are unable to use ECDSA P-256 SHA256 for .GDN domain names. For this TLD the default algorithm is set to RSA SHA512.

NSEC3 Records (Next Secure)

NSEC records links to the next record name in the zone (in DNSSEC sorting order) and lists the record types that exist for the record's name.

ClouDNS implements by default NSEC3 records. NSEC3 records have the same functionality as NSEC-records, except NSEC3 uses cryptographically hashed record names to prevent enumeration of the record names in a zone.

DS records setup

Once the DNSSEC is enabled in the dns zone, the DS records should be configured at the domain provider, where the domain name is registered. Most of the domain providers, including ClouDNS, and TLDs currently support DNSSEC. However, there is still limitation for some of the TLDs or domain provider's control panels. If you do not see an option to configure the DS records in the domain name control panel, please contact the technical support of the domain provider to do it for you manually, usually this is a working solution for most of our customers.

Some of the TLDs requires DNSKEY records along with the DS records in order to configure your domain name DNSSEC configuration. You can obtain the DNSKEY records from the DNSSEC page in your zone control panel.

RRSIG validity time

During the signing process of the zone the backend system generates signatures for the all records which are stored within RRSIG records within the zone. These records are stored on our dns servers and included in the zone transfers if you use secondary dns with your own server or external backup provider.

RRSIG records helps to the resolvers to validate responses received from the authority servers if they are not modified during the transfer. RRSIG records has validity period and once this period expires they become invalid and the zone should be resigned. Our system sign the zones with 30 days validity period of the signatures. After every change made within the zone we are resigning the zone and RRSIG records are signed for another 30 days validity period. If for the recent 20 days there are no changes in the zone, the system automatically resign the zone keep the signatures valid.

Keys rollover

At this moment ClouDNS doesn't implement keys rollover and there is no option to reset your keys. If you want to have new keys for your zone, you have to recreate the zone or to contact our technical support to do the change for you.


OPT-OUT is a mechanism that allows domain name owners to exclude their domain from DNSSEC protection. By default, when DNSSEC is enabled for a domain, all the authoritative DNS records associated with that domain are required to be signed with digital signatures. However, the opt-out mechanism allows domain owners to specify certain subdomains or individual DNS records within their domain that should be exempted from DNSSEC protection. The opt-out feature can be useful in certain scenarios where domain owners may have specific reasons for not signing certain subdomains or records. For example, if a domain owner wants to delegate a subdomain to a third-party provider who does not support DNSSEC, they can choose to opt-out that subdomain from DNSSEC. It's important to note that the opt-out mechanism should be used judiciously and only for valid reasons, as DNSSEC provides an important layer of security against DNS spoofing and other attacks. Opting out too many records or subdomains can weaken the overall security provided by DNSSEC.

Last modified: 2023-10-19
Cookies help us deliver our services. By using our services, you agree to our use of cookies. Learn more