DNSSEC checks the data using cryptographically secured signatures, which are calculated using the data to be protected and transmitted to the client together with the data. The signature used can be used to check whether the data was sent from an authorized source. At the same time, the signature makes it possible to check whether data has been altered in transit.

Requirements for activating DNSSEC

The following requirements must be met for DNSSEC to be used:

  • DNSSEC support at TLD level (e.g. .de)
  • DNSSEC support from the DNS provider

Automatic configuration

For the automatic activation of DNSSEC, both the DNS zone and the domain must be managed via creoline DNS. The following requirements must be met for automatic configuration:

  • DNSSEC must be deactivated for the domain
  • DNSSEC must be deactivated for the DNS zone
  • The domain must have been registered via creoline
  • The DNS zone must be managed via creoline DNS
  • The nameservers of the domain must point to the standard creoline nameservers

Navigate to the DNS zone for which you want to enable DNSSEC and click Settings → Enable DNSSEC.

You can use the pop-up window to specify the mode in which DNSSEC is to be activated.

Mode Explanation
Configure automatically In this mode, the DNSSEC configuration is automatically stored with the associated domain so that no further steps are required to activate DNSSEC.
Create DNSSEC configuration only In this mode, the associated domain is not automatically adjusted and the DNSSEC configuration must be stored manually for the domain.

Attention: Before activating DNSSEC, check whether your domain provider supports the DNSSEC protocol. If your domain is registered via creoline, the DNSSEC option is only displayed if the DNSSEC protocol is supported by the corresponding TLD.

Manual configuration

Navigate to the DNS zone for which you want to activate DNSSEC and click on Settings → Activate DNSSEC.

Select the Generate DNSSEC configuration only mode so that the DNSSEC configuration is not automatically stored with the domain.

Select the DNSSEC button to display the current DNSSEC configuration.

Store the DNSKEY entry 257 KSK with your domain provider in order to fully sign the DNS zone. The DNSKEY entry of Type 256 ZSK does not need to be stored with your domain provider.