DNSSEC Key Management
Understand DNSSEC signing keys, DS records, and how to perform safe key rollovers without breaking DNS resolution.
DNSSEC (Domain Name System Security Extensions) protects DNS responses from tampering by adding cryptographic signatures to your zone data. Managing DNSSEC keys correctly is critical β a misstep during key changes can make your domain unresolvable.
Keys and DS Records
DNSSEC uses two types of cryptographic material:
- Signing keys live on your DNS server and sign zone data. DNScale uses CSK (Combined Signing Key) by default, which handles both zone signing and key signing in a single key pair.
- DS (Delegation Signer) records are published at your domain registrar. They tell resolvers which signing key to trust for your domain.
The DS record is derived from your signing key and contains four fields that your registrar requires:
| Field | Example | Description |
|---|---|---|
| Key Tag | 42665 | Numeric identifier linking the DS to a specific key |
| Algorithm | 13 | Signing algorithm (e.g., 13 = ECDSAP256SHA256) |
| Digest Type | 2 | Hash algorithm (e.g., 2 = SHA-256) |
| Digest | 8cbfa13b518e... | Hash of the public key |
Key States
Each key in DNScale has two independent flags:
Active
An active key is currently signing zone data. DNS resolvers use the corresponding DS record at the registrar to validate these signatures.
An inactive key is not signing, but may still be published in the zone's DNSKEY record set. This is normal during key rollovers.
Published
A published key appears in the zone's DNSKEY record set, making it visible to resolvers. Keys can be published before they start signing β this is a deliberate step in the rollover process.
Key Rollover
Key rollover is the process of replacing an active signing key with a new one. This must be done carefully because resolvers cache DS records and DNSKEY records with their TTL. Changing keys too quickly causes validation failures and makes your domain unreachable for DNSSEC-validating resolvers.
Why Keep Both DS Records
During a rollover, both the old and new DS records must exist at your registrar simultaneously. Resolvers that still have the old DNSKEY cached need the old DS to validate, while resolvers fetching fresh data need the new DS. Removing the old DS too early breaks resolution for cached resolvers.
Step-by-Step Rollover
-
Generate a new key pair In the DNSSEC Key Management dialog, click Generate Key Pair. The new key is created as inactive and published β it appears in your zone's DNSKEY record set but does not sign any data yet.
-
Add the new DS record at your registrar Copy the DS record for the new key (shown under the "Inactive β not signing" group) and add it at your registrar alongside the existing DS record. Do not remove the old one yet.
-
Wait for propagation Wait at least 2Γ the parent zone's TTL (typically 24β48 hours for most TLDs). This ensures all resolvers worldwide have seen the new DS record.
-
Activate the new key In the DNSSEC dialog, click Activate on the new key. It will begin signing zone data. Optionally deactivate the old key.
-
Wait for old signatures to expire Wait at least the zone's signature validity period plus the DNSKEY TTL (typically 24 hours). This ensures no resolver still relies on the old key's signatures.
-
Remove the old DS record At your registrar, remove the old DS record. Only the new key's DS should remain.
-
Delete the old key Back in DNScale, delete the old (now inactive) key pair.
Important: Never skip the waiting periods. Premature removal of DS records or keys is the most common cause of DNSSEC-related outages.
DS Record Format for Registrars
When your registrar asks for DS record fields, copy them individually from the DNSSEC Key Management dialog:
Key Tag: 42665
Algorithm: 13
Digest Type: 2
Digest: 8cbfa13b518e46635bb83486120c824a04622d752dc5484c478be778496b1b77Some registrars accept the full DS record as a single line:
42665 13 2 8cbfa13b518e46635bb83486120c824a04622d752dc5484c478be778496b1b77DNScale provides copy buttons for both formats.
Managing DNSSEC in DNScale
Using the Dashboard
- Navigate to your zone in the DNScale dashboard
- Click the Shield icon in the DNSSEC column to open Key Management
- Click Generate Key Pair to create signing keys
- Copy the DS records and add them at your registrar
- DNSSEC is active once the DS records propagate
Using the API
Enable DNSSEC for a zone:
curl -X PUT "https://api.dnscale.eu/v1/zones/{zone_id}/settings" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"dnssec_enabled": true}'Generate a key pair:
curl -X POST "https://api.dnscale.eu/v1/zones/{zone_id}/cryptokeys" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"keytype": "csk", "algorithm": "ECDSAP256SHA256", "active": true}'Get DS records:
curl "https://api.dnscale.eu/v1/zones/{zone_id}/ds-records" \
-H "Authorization: Bearer YOUR_API_KEY"List cryptokeys (includes active/inactive status):
curl "https://api.dnscale.eu/v1/zones/{zone_id}/cryptokeys" \
-H "Authorization: Bearer YOUR_API_KEY"Common Mistakes
- Removing the old DS before the new key is active β resolvers cannot validate signatures from either key, causing SERVFAIL responses
- Not waiting for TTL expiry β cached records at resolvers still reference the old configuration
- Deleting keys before removing the DS β the registrar still points to a key that no longer exists, breaking the chain of trust
- Using SHA-1 digest type β SHA-1 (Digest Type 1) is deprecated; always prefer SHA-256 (Digest Type 2) or SHA-384 (Digest Type 4)
Related
- What Is a DNS Zone β DNS zone basics
- DNS Propagation Explained β How DNS changes propagate globally
- What Is a TLSA Record β DANE/TLSA for certificate pinning via DNS