As you know DNSSEC Manager (Plesk) works by following a chain of trust in which "child keys" are validated by "parent keys". Every key in a zone is validated by the zone above it. So in order for the DNSSEC Manager (Plesk) validation to work properly the domain's key must be validated at the TLD level. This is done by storing the DS (Delegation Signer) record of the domain, which is a hash of its KSK, in the TLD.
- The DS record contains a cryptographic hash of the child’s KSK.
- A zone’s DS records only appear in its parent zone along with NS records at a delegation point.
This “DS record” at the parent name server is what binds your signed domain into the larger “chain of trust.
How to add DS record to the Registrar?
To get the DS record:
- * Go to the Home page of DNSSEC Manager (Plesk)
- * Once you sign the domain and click the "Clipboard button" on Actions column, DS record will be displayed for the domain
The domain's DSSET file has two lines, one is KSK and the other ZSK. You need to first add KSK key at the registrar and then ZSK.
* Key Tag
* Algorithm
* Digest Type
* Digest
For example in the DS record shown below:
Click on the clipboard icon to show the DS record of the corresponding domain.
Most of the registrars accept the DS record, in a format like above. If your registrar asks for different parameters, open a ticket with the support, attaching a snapshot of your registrar's DNSSEC interface (where you are updating the records) and the error details returned if any. Our developers will be able to customize the plugin accordingly with the requirement.