DNSSEC (Domain Name System Security Extensions) adds a layer of protection to the domain lookup process, helping ensure the DNS records visitors receive haven't been tampered with or forged. This article explains what DNSSEC does and walks you through adding or removing a DNSSEC record for your domain.
What DNSSEC protects against
DNSSEC works by attaching digital signatures to DNS records, so that anything looking up your domain can verify the records came from your legitimate DNS provider rather than an attacker. This helps guard against threats such as DNS spoofing and cache poisoning, where an attacker tries to redirect visitors to a fraudulent server without their knowledge.
Hover supports adding a DNSSEC record — specifically a DS (Delegation Signer) record — for any domain not using Hover's nameservers, provided the domain's TLD registry also supports DNSSEC.
Note: The values needed to create a DS record are generated by whichever DNS provider is signing your zone (the DNS provider actually serving your records) — Hover does not generate these values itself.
Before you begin
- Confirm your domain is not using Hover's nameservers. DNSSEC records can only be added through Hover if the domain is not using Hover's nameservers. See Changing your domain nameservers.
- Confirm your TLD supports DNSSEC. Not all domain extensions support DNSSEC.
- Get your DS record values from your DNS provider. You'll need the key tag, algorithm type, digest type, and digest value — see the reference table below.
Step 1: Add a DNSSEC (DS) record
- Sign in to your Hover control panel using your chosen method of 2FA.
- From the domain's Overview page, locate the DNSSEC section.
- Click Add DS record and enter the values provided by your DNS or hosting provider.
Field | What it means |
|---|---|
Key tag | A numeric identifier for the DNSSEC key. |
Algorithm type | The cryptographic algorithm used to generate the key (for example, RSA/SHA-256). |
Digest type | The hash algorithm used to generate the digest (for example, SHA-256). |
Digest | The cryptographic hash of the DNSKEY record, provided by your DNS provider. |
Step 2: Remove a DNSSEC (DS) record
- Sign in to your Hover control panel using your chosen method of 2FA.
- From the domain's Overview page, locate the DNSSEC section.
- Select the DS record you want to remove, then click Delete.
Warning: Removing a DS record while DNSSEC signing is still active at your DNS provider can cause validation failures for your domain. Disable DNSSEC signing at your DNS provider first, or coordinate the timing of both changes together.
Next steps
- Not sure where your domain's nameservers point? See Changing your domain nameservers.
- Learn more about DNS fundamentals. See How does DNS work?.
Questions? Contact Hover Support.
How helpful was this article?
Thanks for your feedback!
Do you still need help? If so please submit a request here.