We have noticed that some clients of ours which are using OVH as a domain registrar are having difficulty activating DNSSEC for their domains. We understand the whole procedure may be a little bit complicated. For that reason, in this article, we will try to explain all the steps required for activating DNSSEC with OVH.
First and foremost, DNSSEC for your Master zone hosted here must be activated. You can check the details on how to activate it here.
Once DNSSEC for your Master zone is activated, your DNSSEC records will be displayed. There are a couple of sensitive components that you need for successfully activating DNSSEC with OVH. You should attract your eyes on the two DNSKEY records and the key tag of the DS record, as shown below:
So far so good. Now please open your terminal and run the following input:
$ dig any your-domain.com @ns1.example.com
Note: Parameters above are just samples. You should replace your-domain.com with your actual domain, and for @ns1.example.com you must type any of the name servers available for your ClouDNS account. You are looking for the RRSIG records for the DNSKEYs. Both RRSIG records have a key tag value. Please, write down the one which is different in comparison to your DS record's key tag. Illustration of this can be found below:
Afterwards, please log in your OVH account and make sure the Secured Delegation - DNSSEC is Disabled, as it is shown below:
Finally, you must add both DNSKEY records with Algorithm 13. And here it comes the crucial part. The KSK DNSKEY record (257) must be added with the Keytag retrieved from the DS record generated in your ClouDNS Master zone. And for the ZSK DNSKET record (256), you must apply the Key tag which you previously wrote down (look above).
Demonstration of adding DNSKEY records through OVH interface can be seen below:
If you face difficulty in any moment of activating your domain's DNS, please do not hesitate to contact our technical support team. We will be more than happy to help you with this task.