{"id":229142,"date":"2018-09-19T17:51:00","date_gmt":"2018-09-19T17:51:00","guid":{"rendered":"https:\/\/www.internetsociety.org\/?post_type=resources&p=229142"},"modified":"2025-09-02T17:19:20","modified_gmt":"2025-09-02T17:19:20","slug":"how-to-secure-and-sign-your-domain-with-dnssec-using-domain-registrars","status":"publish","type":"resources","link":"https:\/\/www.internetsociety.org\/resources\/deploy360\/2018\/how-to-secure-and-sign-your-domain-with-dnssec-using-domain-registrars\/","title":{"rendered":"How To Secure And Sign Your Domain With DNSSEC Using Domain Registrars"},"content":{"rendered":"\n

With DNSSEC, your domain name registrar<\/em> plays a critical role in linking your signed domain to the higher-level name servers to form a \u201cchain of trust<\/em>\u201c. This trust relationship begins at the \u201croot\u201d of the DNS system, then goes to the top-level domains (TLDs) and then to second level domain names (\u201cexample.com\u201d) and on from there.<\/p>\n\n\n\n

To sign your domain with DNSSEC and have it participate in the global chain of trust, you need three conditions to be true:<\/p>\n\n\n\n

1. YOUR TOP-LEVEL DOMAIN (TLD) MUST BE SIGNED<\/strong> \u2013 The major TLDs such as .com, .org, .net have all been signed as have a good number of \u201ccountry code TLDs\u201d (ccTLDs), but many ccTLDs still need to be signed. View the full list of signed TLDs<\/a> to confirm that your TLD has been signed.<\/p>\n\n\n\n

2. YOUR DOMAIN REGISTRAR MUST SUPPORT DNSSEC<\/strong> \u2013 The registrar where you registered your domain must support DNSSEC. Specifically, they need to be able to accept and sign Delegation Signer (DS) records that contain the necessary information about the keys used to sign your DNS zone. They also need to be able to provide these DS records to the parent domain (which is typically a TLD).<\/p>\n\n\n\n

Check the list of registrars known to support DNSSEC<\/a> maintained by ICANN. If your registrar is listed, you may simply need to check their documentation to learn more about their DNSSEC support (see our tutorials below for some registrars). If your registrar is not<\/em> listed, you may want to contact them to find out if they already support DNSSEC or if not, when they will be doing so.<\/p>\n\n\n\n

3. YOUR DNS HOSTING PROVIDER MUST SUPPORT DNSSEC<\/strong> \u2013 Very often a \u201cregistrar\u201d may also<\/em> provide \u201cDNS Hosting\u201d services where they will host your DNS records, allow you to manage those records, publish them to the global DNS, etc. However, you may use a different provider for the actual hosting of your DNS records. (see an example<\/a>) You may also choose to operate your own nameservers and directly manage the DNS hosting yourself. Regardless of whether DNS hosting is provided by your registrar, by another company or by yourself, DNSSEC support is required. Many DNS hosting providers are automating DNSSEC services so that all of the key generation and signing is handled automatically on your behalf.<\/p>\n\n\n\n

See the \u201cMore Information\u201d section later on this page for a further description of how this works.<\/p>\n\n\n\n

The following links provide tutorials on how to sign your domain name with DNSSEC using the listed registrars and DNS hosting providers.<\/p>\n\n\n\n

\n\n\n\n

The Internet Society Deploy360 Programme does not recommend or endorse any particular domain registrars. The information provided here is to assist users to understand how to sign their domains with DNSSEC. WE ARE SEEKING TO ADD TUTORIALS HERE FOR ALL REGISTRARS THAT CURRENTLY SUPPORT DNSSEC.<\/strong> If you know of an additional registrar we should include, please contact us<\/a>.<\/p>\n\n\n\n

\n\n\n\n

Registrars Supporting DNSSEC For Registration and Hosting<\/h4>\n\n\n\n

There are a great number of registrars that now support DNSSEC for either domain registration or DNS hosting.  Please visit:<\/p>\n\n\n\n