DNSSEC
DNSSEC adds cryptographic signatures to DNS responses so resolvers can verify that records for your domain have not been forged. WebShield signs responses on every nameserver in real time; you only need to enable signing and publish one DS record at your registrar.
Enable DNSSEC
Section titled “Enable DNSSEC”- Open Control panel → DNS for the domain.
- In the DNSSEC card, click Enable DNSSEC.
- Copy the DS record shown in the card (the SHA-256 variant, digest type
2, is recommended). - Publish the DS record in your registrar’s control panel (usually under DNSSEC, DS records, or similar).
Until the DS record is published, the zone is signed but resolvers do not validate it — this state is safe and nothing changes for your visitors. Once the registrar publishes the DS record in the parent zone, validation becomes active. The card shows whether a DS record is currently visible in the parent zone.
Technical details: a single CSK key, algorithm 13 (ECDSA P-256 with SHA-256), NSEC3 in narrow mode (zone contents cannot be enumerated).
Disable DNSSEC
Section titled “Disable DNSSEC”Disabling signing while the DS record is still published would make the domain unresolvable for validating resolvers (a large share of the Internet). The panel therefore blocks disabling until the DS record disappears from the parent zone:
- Remove the DS record at your registrar.
- Wait for the DS TTL to expire (typically up to 24 hours).
- Click Disable in the DNSSEC card.
Transferring a signed domain to WebShield
Section titled “Transferring a signed domain to WebShield”If your domain already has DNSSEC enabled at the previous DNS provider, remove the DS record at the registrar before switching nameservers to WebShield, and wait for its TTL to expire. Otherwise validating resolvers will reject the unsigned answers from the new nameservers. After the transfer you can enable DNSSEC in WebShield and publish the new DS record.
DNSSEC can also be managed with an API token holding the
dns scope:
GET /api/v1/domains/<id>/dnssec— status and DS records;POST /api/v1/domains/<id>/dnssec— enable signing;DELETE /api/v1/domains/<id>/dnssec— disable signing (refused with409while a DS record is still published in the parent zone).