DNSSEC (Domain Name System Security Extensions) adds a layer of security to your DNS by digitally signing your records. It protects against DNS spoofing attacks where attackers redirect your visitors to a fake website.

Before enabling DNSSEC

• Your domain registrar must support DNSSEC. Check with your registrar if you are unsure.
• DNSSEC must be supported by your DNS server. TPC Hosting supports DNSSEC on compatible plans.

Enable DNSSEC in the DNS Manager

1. Open the DNS Manager and click on the zone you want to secure.
2. Click DNSSEC or look for the DNSSEC toggle in the zone settings.
3. Enable DNSSEC. The system will generate signing keys for your zone.
4. After enabling, click on DNSSEC Details to view your zone keys and DS records.

Add the DS record at your registrar

For DNSSEC to work, you must add the DS (Delegation Signer) record at your domain registrar. This links your registrar to your signed zone.

1. In the DNS Manager DNSSEC section, copy the DS record values (Key Tag, Algorithm, Digest Type, and Digest).
2. Log in to your domain registrar.
3. Find the DNSSEC settings for your domain (often under Advanced DNS or Security).
4. Add the DS record using the values from the DNS Manager.
5. Save at your registrar.

Verify DNSSEC is active

Use https://dnssec-debugger.verisignlabs.com to check that DNSSEC is correctly configured for your domain. All checks should show green.

Disable DNSSEC

If you need to disable DNSSEC (e.g. before transferring your domain), first remove the DS record from your registrar, wait for the TTL to expire (up to 48 hours), and then disable DNSSEC in the DNS Manager. Disabling DNSSEC without removing the DS record first will break DNS resolution for your domain.