At transworldafrica.com, we sign all domains hosted with us with DNSSEC. If you want a domain to have a DS Record, then this is the place to be. See below dig command of one of our signed domains.
dig diggui.com <<>> @220.127.116.11 transworldafrica.co.ke DS
Domain Name System Security Extensions (DNSSEC) strengthens authentication in DNS using digital signatures based on public-key cryptography. With DNSSEC, it's not DNS queries and responses themselves that are cryptographically signed, but rather DNS data itself is signed by the owner of the data.
Every DNS zone has a public/private key pair. The zone owner uses the zone's private key to sign DNS data in the zone and generate digital signatures over that data. As the name "private key" implies, this key material is kept secret by the zone owner. The zone's public key, however, is published in the zone itself for anyone to retrieve. Any recursive resolver that looks up data in the zone also retrieves the zone's public key, which it uses to validate the authenticity of the DNS data. The resolver confirms that the digital signature over the DNS data it retrieved is valid. If so, the DNS data is legitimate and is returned to the user. If the signature does not validate, the resolver assumes an attack, discards the data, and returns an error to the user.
DNSSEC adds two important features to the DNS protocol:
- Data origin authentication allows a resolver to cryptographically verify that the data it received actually came from the zone where it believes the data originated.
- Data integrity protection allows the resolver to know that the data hasn't been modified in transit since it was originally signed by the zone owner with the zone's private key.
DNSSEC Protect DNS Data against
- cache spoofing
- man in the middle (MITM) attacks
- take-over of an authoritative server
- rogue secondaries
Other important points of DNSSEC
- DNSSEC Protect DNS server against denial of service attacks.
- DNSSEC signs data to guarantee authenticity and integrity. It assures a client that an RRSet is from the proper authoritative server and has not changed.
- DNNSEC does not encrypt data to provide privacy. Anyone can find out the RRSets you request