How do I setup DNSSEC for .LY domain?

Overview

DNSSEC (Domain Name System Security Extensions) adds an essential layer of authentication to your domain’s DNS. By digitally signing your DNS records, it ensures that your visitors are directed to your legitimate website rather than a malicious or spoofed domain.

The configuration of DNSSEC is a two-step process:

1. Enable DNSSEC at your DNS Provider: This generates the unique security records (DS records) for your domain.
2. Add Records to the Domain Registrar: These records are then added to the domain registry to complete the “Chain of Trust.”

Depending on your domain setup, our system can often handle enabling DNSSEC for you automatically.

Step By Step

Case 1: Using our DNS Management Service

If your domain is pointed to our nameservers (e.g., ns1.ns.ly, ns2.ns.ly), the process is fully automated.

1. Log in to your Client Area account
2. Navigate to Domains > My Domains, and select your .LY domain you wish to manage.
3. From the left-hand sidebar, select DNS Management.
4. Click the Enable DNSSEC button on top.

Our system will automatically generate the required DS records and communicate them to the .LY registry. No further action is required.

Case 2: Using External Nameservers

If you are using another DNS provider for your domain (e.g., cPanel, Cloudflare), you must manually bridge the security gap between your provider and the registrar.

1. Log in to your DNS Service Provider’s dashboard (the place where you manage your DNS records).
2. Locate their DNSSEC section and click Enable or Generate.
3. Copy the provided DS Record values (Key Tag, Algorithm, Digest Type, and Digest).
4. Now, log in to your Client Area account with us.
5. Navigate to Domains > My Domains and select your .LY domain you wish to manage.
6. On the left-hand menu, click DNSSEC Settings.
7. Fill in the fields under Add New DS Record using the information provided by your DNS host.
8. Click Save Record & Enable DNSSEC.

Once successful, your status will change from INACTIVE to ACTIVE.

Verification (Optional)

After you receive confirmation that DNSSEC has been configured for your domain, please allow enough time for DNS propagation to complete; this might take up to 4 hours.

You can use an online tool for DNSSEC validation, such as DNSSEC Analyzer, to test and verify the configuration for your domain from both the DNS Provider and the Registrar side.

Disabling DNSSEC

⚠️ Important: Read Before Proceeding

Deleting the DS record in the Client Area turns off DNSSEC validation. However, this change is not instantaneous across the global internet.

• Status Update: After you click “Delete” or “Save,” the Active/Inactive status in your portal updates immediately. This means our database is updated, but the .LY Registry typically takes 1 to 2 hours to publish this change to the global internet.
• The Risk: If you do not follow the correct order of operations, your website will become inaccessible (returning a SERVFAIL error) because global resolvers will still be looking for security signatures that no longer exist.

Correct Order of Operations:

To avoid taking your website offline, you must follow these steps in order:

1. Delete the DS Record in our Client Area: Remove the record from the “DNSSEC Settings” page first.
2. Wait 1 Hour: Allow time for the Registry to broadcast that the domain is no longer signed.
3. Disable DNSSEC at your DNS Provider: Only after the waiting period should you turn off DNSSEC at your DNS provider (e.g., Cloudflare, cPanel).

Warning: If you disable DNSSEC at your provider first, the Registry will still tell the world, “This site is secured; check for a signature.” Since the provider is no longer sending that signature, the site will fail to load globally.

Share this: