1. BrandShelter Help Centre
  2. Domain Names
  3. Domain Names Management

How to enable / disable DNSSEC

Enable DNSSEC

You can quickly and easily enable DNSSEC on your domains installed on our NS, directly on your customer portal:

  1. Log in to your account
  2. Access your domain portfolio: go to the "Domains > Portfolio" menu item
  3. Select the domain(s) for which you want to enable DNSSEC
  4. In the bottom bar, click on DNSSEC and then on "⊕ Enable DNSSEC"
  5. Finished! Please wait 24-48 hours for DNSSEC to be activated.

 

Domains > Portfolio > Select domain > DNSSEC

 

Note: If you want to enable DNSSEC for your domain name registered with our services but with external DNS management, please contact directly our Customer Care Department at support@brandshelter.com, or alternatively your account manager if you have one.

 

Disable DNSSEC

To disable DNSSEC, follow the same steps and procedure.

In the bottom bar, click on DNSSEC and then on "🗑️ Disable DNSSEC". If you get the message: "Unable to disable DNSSEC on these domains:" then, the DNSSEC is probably already disabled for your domain(s). You can check DNSSEC activation here:  https://dnssec-analyzer.verisignlabs.com/  or here: https://zonemaster.net/en/

 

Important:

  1. DNSSEC activation/deactivation for BrandShelter domains typically requires 24 hours (to 48 hours) between zone signing and the modification of the domain.
    For specific TLDs, activation times vary:
    .CH / .LI: Changes are activated after 3 days.
    .SK: Parent updates take 72 hours.
    .CZ: Parent updates take 7 days.
     
  2. We always recommend to wait at least 48 hours after disabling DNSSEC before enabling it again. Some DNS caches may still have old DNS keys cached even if their TTL has already expired.
    Standard practice for migrations/transfers involves deactivating DNSSEC and waiting 24 to 48 hours to allow DNS caches to catch up before reactivation.
     
  3. DNSSEC is not supported and cannot be activated on all extensions / TLDs, some registries / TLDs are not compatible. ICANN - List of TLDs supporting DNSSEC
     
  4. Certain types of DNS records are not supported for DNSSEC-signed zones. For example, the use of APEX ALIAS records is not supported for DNSSEC-signed zones, and in the worst-case scenario, this will compromise the DNSSEC security of the zone.

 

More articles in this section