How to enable DNSSEC to allow users in Atomia to use it with their domains
We say that domain is hosted in Atomia system if the following conditions are met:
- All domain name servers are Atomia name servers
In practical terms this means that name servers listed on the Name servers tab (while editing a domain on the Domain manager page) have to match those listed in the Resource description (Nameservers property of the DNS resource).
- There is a domain zone entry on Atomia nameservers
In practical terms this means there must be a website for the domain. This includes all website types such as Windows/IIS, Linux/Apache or even a No website type. All the different types are listed on the websites page.
If all the conditions are met, then DNSSEC tab is displaying what is visible on Image 1 above. It is also possible to disable DNSSEC for a domain from the DNSSEC tab once it is enabled.
In case a domain is not hosted, it is considered external. External DNSSEC is displayed for such domains in the DNSSEC tab.
There are several possible scenarios in this case:
- There are no DS records in the domain zone and no published DS records on the registry/registrar
There is nothing to do in this scenario. User needs to add DS/DNSKEY records in the domain zone (on a third party name servers or in Atomia in case he just forgot to add website to a domain).
- There are DS records in the domain zone, but no published DS records on the registry/registrar
This is the most common scenario. To publish the record from the domain zone user needs to check the record and click on the Update DS records button.
- There are records in the domain zone and matched published records on registry/registrar
This scenario usually happens after the record is published as explained in the scenario 2. Clicking on the Update DS records button while the records are un-checked will un-publish them (remove them from the registry/registrar).
- There are published records on registry/registrar but there are no matching records in the domain zone
This is not a common scenario. In this case a matching record should be added to the domain zone. Or a published record should be removed (by un-checking the record and clicking on the Update DS records button).
Before you begin
The Domainreg plug-in as well as the registrar/registry that is being used has to support DNSSEC for domains.
AtomiaDNS should be installed and initial DNSSEC keyset should be added (see Creating the initial DNSSEC keyset for instructions).
Domainreg should be configured to use AtomiaDNS (
atomiadns_soap_* parameters in the config file) and then hosted_dnssec_delegation_filter and supports_dnssec configuration parameters should be set up. Make sure you fetched keys from AtomiaDNS and import them in Domainreg.
Configure DNSSEC options
To enable the DNSSEC functionality on the Domain Manager page a couple of settings must be edited in the file
C:\Program Files (x86)\Atomia\HostingControlPanel\bin\Atomia.Web.Plugin.Domains.DomainManager.Core.dll.config.
- A DNSSECVisible and DNSSECEnabled values have to be set to true.
<pluginSetting name="DNSSECEnabled" value="true" />
<pluginSetting name="DNSSECVisible" value="true" />
- The Enable DNSSEC button is available only for supported TLDs. These TLDs are configurable in the same file by adding them as comma separated list:
<pluginSetting name="DNSSECSupportedTLDs" value=".info,.net,.eu" />
- To allow users to disable DNSSEC once it is enabled, a ShowDisableDNSSEC value has to be set to true
<pluginSetting name="ShowDisableDNSSEC" value="true" />