Docs / DNS & Domains / How to Set Up DNSSEC on Your Domain

How to Set Up DNSSEC on Your Domain

By Admin · Mar 1, 2026 · Updated Apr 24, 2026 · 25 views · 2 min read

Setting Up DNSSEC on Your Domain

DNSSEC adds cryptographic signatures to DNS records, protecting against cache poisoning and man-in-the-middle attacks. Enabling DNSSEC on your Breeze-hosted domains ensures clients can verify the authenticity of DNS responses.

How DNSSEC Works

  • Zone Signing Keys (ZSK) sign individual DNS records
  • Key Signing Keys (KSK) sign the ZSK, forming a chain of trust
  • DS records published at the parent zone link to your KSK
  • Resolvers validate signatures up to the DNS root

Generate Keys with BIND

cd /etc/bind/keys/
dnssec-keygen -a ECDSAP256SHA256 -n ZONE example.com
dnssec-keygen -a ECDSAP256SHA256 -n ZONE -f KSK example.com

Sign the Zone

Add the key references to your zone configuration and enable inline signing:

zone "example.com" {
    type master;
    file "/etc/bind/zones/example.com.db";
    key-directory "/etc/bind/keys";
    dnssec-policy default;
    inline-signing yes;
};
sudo rndc reload example.com

Publish the DS Record

Extract the DS record and submit it to your domain registrar:

dnssec-dsfromkey /etc/bind/keys/Kexample.com.+013+*.key

Copy the DS record output and add it through your registrar's control panel.

Verify DNSSEC

dig +dnssec example.com A
dig example.com DS @8.8.8.8

Look for the ad (authenticated data) flag in the response, confirming DNSSEC validation is working correctly.

Was this article helpful?

Related Articles