Step-By-Step: How To use DNSSEC with a Domain and a DNS Hosting Provider


Step-By-Step: How To use DNSSEC with a Domain and a DNS Hosting Provider


This is about:

  • you want to use DNSSEC with domains from
  • you are using an external name service, like from a service provider, or your own


(please note: does also provide DNSSEC with the regular name service, free of charge! Please find more details at DNSSEC Support)


To make this work, the domain has to be "linked" to the external name service:


1. Set up the DNS zone and records at the DNS hosting provider

Each DNS hosting provider has its own web interface and system for adding records.

Here you have to create the zone records you need, like A records to add IPv4 addresses to a hostname.


2. Still at the DNS hosting provider,

sign the domain with DNSSEC. This of course requires, that your DNS provider does support DNSSEC.

The end result is that you have a signed domain with a DS record. You will need this information (DS record) later at


3. At,

change the name server records for the domain to point to the name servers of the DNS hosting provider:

  • visit, "My domains"
  • click on "Modify" for the domain you want to have DNSSEC
  • click on 'Edit'  at section 'Nameservers' to edit these
  • click on "Use custom name servers"

 It should look like this now:


change name servers


This change may take some time to propagate through the larger DNS infrastructure. Until the name server change has fully propagated, people may still see DNS records coming from the previous name servers.


At this point, you have a domain signed with DNSSEC at the DNS hosting provider, and you have changed the records at to point to the name servers of the DNS hosting provider. 

Almost done!


If you now run your domain through the DNSSEC analyzer tool, you will still see a problem: "No DS records found"

This means, you still have to create a so-called Delegation Signer (DS) record at


4. Create DS record at

  • again, visit, "My domains"
  • You will now find your name servers listed and a DNSSEC section:


enable DNSSEC


  • click on 'Edit'  at section DNSSEC
  • it will then look like this - please check if the information corresponds with what you got in step 2) above:


DNSSEC settings (external)


Press "save", and you are done - DNSSEC is enabled on your domain.


5. Finally, verify that DNSSEC works

using a tool such as Verisign Labs’ DNSSEC Analyzer. It should show nice green check marks now - but please keep in mind, that your changes will take some time until they become active.


Having followed these steps, you have DNSSEC working on a domain registered with, using name servers from an external name service provider.


Meanwhile, there is good news: You now also are able to use DNSSEC with the regular name servers as well, free of charge! This of course is probably much simpler for you, since you do not have to maintain external name server records, and you can make use of DNSSEC fully integrated into's web portal.



Tags: DNS, dnssec, Nameservice

Related entries:

You cannot comment on this entry