How to enable DNSSEC to allow users in Atomia to use it with their domains
With this setup, a user is able to check DNSSEC status of his domain and to enable or disable it. The option is available from Domain manager page when Edit action is clicked:
We say that domain is hosted in Atomia system if the following conditions are met:
- All domain name servers are Atomia name servers
In practical terms this means that name servers listed on the Name servers tab (while editing a domain on the Domain manager page) have to match those listed in the Resource description (Nameservers property of the DNS resource).
- There is a domain zone entry on Atomia nameservers
In practical terms this means there must be a website for the domain. This includes all website types such as Windows/IIS, Linux/Apache or even a No website type. All the different types are listed on the websites page.
If all the conditions are met, then DNSSEC tab is displaying what is visible on Image 1 above. It is also possible to disable DNSSEC for a domain from the DNSSEC tab once it is enabled.
In case a domain is not hosted, it is considered external. External DNSSEC is displayed for such domains in the DNSSEC tab. There are two possible scenarios:
1. Atomia has the DNS master data (DNS is hosted with Atomia), but Atomia is not the registrar/parent for the domain.
2. Atomia has no DNS master data (DNS is hosted with third party hosting provider), but Atomia is registrar/parent for the domain.
In order to enable DNSSEC proceed with following steps:
- When DNSSEC is not enabled, there are no DS records in the domain zone and no published DS records on the registry/registrar
User needs to generate DS/DNSKEY records in the domain zone on a third party name servers and then add generated DS record from Atomia DNS manager.
- Created DS records in the domain zone will be listed under DNSSEC tab in Domain Manager.
To publish the record from the domain zone user needs to check the record and click on the Update DS records button.
- When publishing process is done, there are records in the domain zone and matched published records on registry/registrar
Clicking on the Update DS records button while the records are un-checked will un-publish them (remove them from the registry/registrar).
- If customer delete DS records from domain zone, these records will be shown as published records on registry/registrar but no matching records will be available in the domain zone
In this case a matching record should be added to the domain zone. Or a published record should be removed (by un-checking the record and clicking on the Update DS records button) and publish new DS records again.
Before you begin
The Domainreg plug-in as well as the registrar/registry that is being used has to support DNSSEC for domains.
AtomiaDNS should be installed and initial DNSSEC keyset should be added (see Creating the initial DNSSEC keyset for instructions).
Domainreg should be configured to use AtomiaDNS (
atomiadns_soap_* parameters in the config file) and then hosted_dnssec_delegation_filter and supports_dnssec configuration parameters should be set up. Make sure you fetched keys from AtomiaDNS and import them in Domainreg.
Configure DNSSEC options
To enable the DNSSEC functionality on the Domain Manager page a couple of settings must be edited in the file
C:\Program Files (x86)\Atomia\HostingControlPanel\bin\Atomia.Web.Plugin.Domains.DomainManager.Core.dll.config.
- A DNSSECVisible and DNSSECEnabled values have to be set to true.
<pluginSetting name="DNSSECEnabled" value="true" />
<pluginSetting name="DNSSECVisible" value="true" />
- The Enable DNSSEC button is available only for supported TLDs. These TLDs are configurable in the same file by adding them as comma separated list:
<pluginSetting name="DNSSECSupportedTLDs" value=".info,.net,.eu" />
- To allow users to disable DNSSEC once it is enabled, a ShowDisableDNSSEC value has to be set to true
<pluginSetting name="ShowDisableDNSSEC" value="true" />