Havenoro CP
Log In
Home/ Tutorials/ DNSSEC Setup

DNSSEC Setup

Learn what DNSSEC is, how it protects your domain, and how to enable it in Havenoro CP.

On This Page

DNSSEC adds a layer of security to DNS. Without it, someone could intercept a DNS request and send back a fake IP address, directing visitors to a fraudulent website without them knowing. DNSSEC prevents this by adding digital signatures to your DNS records, ensuring the data has not been tampered with.

What is DNSSEC?

DNSSEC (Domain Name System Security Extensions) is a security technology that protects your domain from DNS spoofing and cache poisoning attacks. These attacks work by tricking DNS resolvers into returning fake IP addresses for your domain, sending your visitors to malicious copycat websites instead of your real site.

Think of DNS without DNSSEC like sending a postcard. Anyone can read it, and anyone can change the address along the way — you would never know. DNSSEC is like putting that postcard in a tamper-proof, signed envelope. The recipient can verify the signature and know the contents have not been altered.

Why DNSSEC Matters

Imagine someone types yourbank.com into their browser. Without DNSSEC, a hacker could intercept the DNS request and send back the IP address of a fake website that looks exactly like your bank's site. The user enters their username and password, and the hacker steals their credentials. This is called DNS spoofing or pharming.

DNSSEC prevents this by ensuring that DNS responses are cryptographically signed. When your browser asks for the IP address of your domain, it receives both the address and a digital signature. The browser's DNS resolver checks the signature against the public key stored in your DNS zone. If the signature matches, the response is verified as authentic. If it does not match, the resolver knows the response was tampered with and rejects it.

Most modern DNS resolvers — including Google Public DNS (8.8.8.8), Cloudflare (1.1.1.1), and Quad9 (9.9.9.9) — support DNSSEC validation. This means that if you enable DNSSEC, users of these resolvers are automatically protected.

Analogy DNS is like a phonebook. DNSSEC is like signing each page of the phonebook so you know nobody secretly changed the numbers. Without DNSSEC, you might call a number thinking it is your friend's house, but someone has changed it to a different address entirely.

How DNSSEC Works (Simplified)

DNSSEC uses a chain of trust model with cryptographic keys:

1

Zone Signing

Your DNS zone is signed using a Zone Signing Key (ZSK). This creates digital signatures (RRSIG records) for each DNS record in your zone. Think of this as your daily signature — you use it to sign individual records.

2

Key Signing

A separate Key Signing Key (KSK) signs the ZSK to prove it is legitimate. The KSK's public key is published as a DNSKEY record in your zone. Think of this as your official seal — it is more protected and used less often.

3

DS Record at Registrar

A hash of the KSK (called a DS record or Delegation Signer) is uploaded to your domain registrar. This connects your signed zone to the parent zone (like .com). This is like registering your official seal with a public notary — it tells the world that your domain is signed and provides the way to verify it.

4

Validation

When a DNS resolver receives a signed record, it follows the chain: record → ZSK signature → KSK signature → DS record at registrar → root zone. If any link is broken, the resolver rejects the response. In simple terms: the resolver checks every signature along the way, and if any one is missing or invalid, it assumes tampering.

The DNSSEC chain of trust: from signed records up through the registrar to the root zone.

Enabling DNSSEC in Havenoro CP

Important Before enabling DNSSEC, make sure DNS for your domain has fully propagated (at least a few hours after creating or changing the zone). Enabling DNSSEC with a partially propagated zone can cause temporary resolution failures. Also, DNSSEC only works if your domain uses Havenoro CP's nameservers — if you use external DNS (like Cloudflare), DNSSEC must be configured there instead.
1

Go to the DNS tab

Click the DNS tab in Havenoro CP to see your DNS zones.

2

Edit the DNS zone

Hover over the domain you want to secure and click the Edit icon (pencil).

3

Enable DNSSEC

In the Advanced Options section, check the DNSSEC box. The panel will automatically generate the signing keys.

4

Click "Save"

Click Save in the top right corner. Havenoro CP will generate the Zone Signing Key and Key Signing Key, then sign your entire DNS zone. This may take a few seconds.

5

View the DS record

In the DNS tab, hover over the domain and click the DNSSEC icon (key icon). You will see the DS record information that you need to add at your registrar.

The DNSSEC keys page showing the DS record details: Key Tag, Algorithm, Digest Type, and Digest.

Adding DS Records at Your Registrar

Enabling DNSSEC in Havenoro CP is only half the process. You must also add the DS record at your domain registrar (where you bought the domain). Without this step, DNSSEC is incomplete — your zone is signed but nobody can verify the signatures because the chain of trust stops at your registrar.

1

Log into your domain registrar account (Namecheap, GoDaddy, Google Domains, Cloudflare, etc.).

2

Find the DNSSEC or DS Record settings for your domain. This is usually under an "Advanced DNS" or "Security" section.

3

Copy the DS record information from Havenoro CP (DNS tab → DNSSEC icon) and enter it at your registrar. You will typically need four fields:

  • Key Tag — a numeric identifier for the DNSKEY record
  • Algorithm — usually 13 (ECDSA P-256 SHA256)
  • Digest Type — usually 2 (SHA-256)
  • Digest — the long hexadecimal string (this is the actual cryptographic hash)
4

Save the DS record at your registrar. Propagation may take a few hours to complete.

Test with dnssec-analyzer.verisignlabs.com After configuring DNSSEC, use the Verisign DNSSEC Analyzer to verify that everything is working correctly. It will check the entire chain of trust and report any issues.
Not all registrars support DNSSEC Most major registrars (Namecheap, GoDaddy, Google Domains, Cloudflare, Porkbun) support DNSSEC. If your registrar does not, you may need to transfer your domain to one that does, or use an external DNS provider that supports DNSSEC.

Troubleshooting

DNSSEC can be tricky. Here are the most common issues and how to fix them:

Issue Solution
"No response" or "SERVFAIL" after enabling This usually means the DS record at your registrar does not match the keys in Havenoro CP. Double-check that you copied the DS record exactly — every character of the digest matters. Delete and re-add the DS record at your registrar.
Domain becomes unreachable Disable DNSSEC in Havenoro CP (uncheck the box and save), then remove the DS record from your registrar. Wait for propagation, then re-enable DNSSEC carefully.
Some visitors cannot reach your site Their DNS resolver may not support DNSSEC, or your configuration may have an error. Use dnsviz.net to diagnose.
Need to disable DNSSEC First remove the DS record from your registrar, then disable DNSSEC in Havenoro CP. Wait for propagation before making other DNS changes. Disabling without removing the DS record first can break DNS resolution.
Disable with care Once enabled, disable DNSSEC carefully. Always remove the DS record from your registrar first, then disable DNSSEC in Havenoro CP. If you disable DNSSEC in the panel without removing the DS record, the registrar will still advertise your domain as DNSSEC-enabled, but the zone will no longer be signed. This will cause all DNS lookups to fail, making your website and email unreachable.

Next Steps

Once DNSSEC is fully configured and verified, your domain is protected against DNS spoofing. Consider also:

  • Set up DMARC with a p=reject policy to protect your domain from email spoofing (see the Spam & Filtering tutorial).
  • Use a monitoring tool like dnsviz.net to periodically check your DNSSEC configuration.
  • Review the DNS Records Guide for help with adding and managing other record types in DNS Records Guide.
Previous ← DNS Records Guide Next Backups →