Steps to Enable DNSSEC for a Domain Name

Steps to Enable DNSSEC for a Domain Name

DNSSEC (DNS Security Extensions) is a protocol that adds an additional layer of security measures to Domain Name System (DNS). It allows registrants to secure their domains by digitally signing the zone to facilitate the domain resolvers validate that signature. For more information about DNSSEC, visit the following site (www.dnssec.sa).

This service will allow a registrant to enable DNSSEC for his/her Saudi Domain Names.

The following is a brief explanation for the procedure to Enable DNSSEC:

Accessing the SaudiNIC’s E-portal of SaudiNIC Services

All SaudiNIC services are provided electronically through SaudiNIC’s e-portal site (www.nic.sa or سجل.السعودية). It requires logging into the e-portal using your username and password. If you do not have an account then you can create a new account by submitting a request using the service: creating an account.

  1. Filling up Enable DNSSEC form

The account holder must fill “enable DNSSEC form”. The form can be accessed using the following steps:

  • Click “My Domains” in the sidebar menu. A list of all of your domains will be shown.

  • Click on “enable DNSSEC” icon , which appears alongside the domain name you intend to enable DNSSEC for it.

Start filling the form by clicking on the checkbox, that appear in the top of the form, to enable DNSSEC. Note that, if you leave the checkbox unchecked, the DNSSEC will be disable and all records will be deleted.

After enabling DNSSEC, you should provide DS records information that consist of the following fields (all can be obtained from the DNSSEC signing tools for the zone):

  1. Keytag: a number to quickly identify a DS record.

  2. Key algorithm: a number to identify the public DNSKEY algorithm used for signing the domain.

  3. Digest Type: a number to identify the algorithm used to generate the DS Digest.

  4. Digest: represents the hash (digest) of the DNSKEY record.

You can add up to 6 DS records for each domain name.

The following example illustrates how to obtain the abovementioned values for a DS record:

example.sa. 3600 IN DS 11305 8 2 EE884A8AAA0613AA864DC728D8831637FA559AF8C89F5F1E4A3F47EC 46CEBF13

keytag: 11305

key algorithm: 8

Digest Type : 2

Digest : EE884A8AAA0613AA864DC728D8831637FA559AF8C89F5F1E4A3F47EC 46CEBF13

  1. Review the request

All the information in the request are displayed to the account holder in order to review them and confirm their accuracy and correctness, he/she can modify or even delete the request at this stage if needed .

By clicking on (submit) a link to the request information form will be sent to the Administrative Contact’s email address. He/she will be asked to approve the request.

3- Administrative Contact approval

The Administrative Contact must approve or reject the request. The Account Holder must coordinate with the Administrative Contact regarding this step and ensure that the Administrative Contact has all the needed information to be able to take his/her decision .

After completing all the above steps without errors, then the process will be automatically accepted and handled.

Notes

  • The request is only considered to be received by SaudiNIC after the Administrative Contact approves it, otherwise it will not be considered to be received and will remain pending.

  • All correspondences regarding the request are communicated to the account holder and the Administrative Contact.

  • Registrants, Administrative Contacts, and Account Holders requesting this service implicitly confirm their understanding and acceptance of the terms and conditions detailed in the Domain names Registration Regulations published in SaudiNIC's website.

  • This service can only be started from the users accounts, the account holder must first sign up for an account in SaudiNIC website, that can be done by following the Steps for creating an account. After doing so and successfully activating the account, account holders can start the steps of this service.