How can we help?
Searching...
  1. Home
  2. Domains and DNS
  3. DNS Service
  4. How to Set Up DNSSEC for gTLD Domains

How to Set Up DNSSEC for gTLD Domains

Content

Overview

DNSSEC (Domain Name System Security Extensions) adds an essential layer of authentication to your domain's DNS. By digitally signing your DNS records, it ensures that your visitors are directed to your legitimate website rather than a malicious or spoofed domain.

For generic top-level domains (gTLDs), DNSSEC must be manually configured by adding Delegation Signer (DS) records provided by your DNS host. This creates a secure link between your DNS provider and the domain registrar, preventing DNS hijacking.

Step by Step

Case 1: Using our DNS Management Service

If your domain is pointed to our nameservers (e.g., ns1.ns.ly, ns2.ns.ly):

  1. Log in to your Client Area account
  2. Navigate to Domains > My Domains, and select your .LY domain you wish to manage.
  3. From the left-hand sidebar, select DNS Manager.
  4. Click the Enable DNSSEC button on top.
  5. Once the status changes to DNSSEC Enabled, click on Manage button next to it.
  6. Copy the provided DS Record values (Key Tag, Algorithm, Digest Type, and Digest).
  7. Return to the domain management page (step 2), and from the left-hand sidebar, select DNSSEC Settings.
  8. Click the green Add A New DNSSEC Record button.
  9. Enter the following values generated by your DNS Provider:
    • Keytag
    • Algorithm
    • Digest Type
    • Digest
  10. Click Add Record.

Case 2: Using External Nameservers

If you are using another DNS provider for your domain (e.g., cPanel, Cloudflare), you must manually bridge the security gap between your provider and the registrar.

  1. Log in to your DNS Service Provider’s dashboard (the place where you manage your DNS records).
  2. Locate their DNSSEC section and click Enable or Generate.
  3. Copy the provided DS Record values (Key Tag, Algorithm, Digest Type, and Digest).
  4. Now, log in to your Client Area account with us.
  5. Navigate to Domains > My Domains and select the domain you wish to manage.
  6. From the left-hand sidebar, click on DNSSEC Settings.
  7. To add a new record, click the green Add A New DNSSEC Record button.
  8. Enter the following values generated by your DNS Provider:
    • Keytag
    • Algorithm
    • Digest Type
    • Digest
  9. Click Save.

Verification (Optional)

After configuring or removing records, allow up to 2 hours for propagation. You can verify your domain's status using an external tool like DNSSEC Analyzer to ensure the “Chain of Trust” is correctly established or removed.

Disabling DNSSEC

⚠️ Important: Order of Operations

To prevent your website from going offline (SERVFAIL error), you must follow this specific sequence:

  1. Delete the DS Record in the Client Area: Click the delete button in your dashboard. This immediately updates our database, but the global Registry may take 1–2 hours to reflect the change.
  2. Wait 1 Hour: Allow time for the Registry to stop telling resolvers to look for a digital signature.
  3. Disable DNSSEC at your DNS Provider: Only turn off the signing at your DNS host (e.g., Cloudflare) after the waiting period is over.

Note: If you disable it at your provider first while the DS record still exists at the registrar, your site will fail to load globally because resolvers will look for a signature that is no longer there.

Share this:
FacebookWhatsAppCopy LinkTelegramLinkedInGmail
Updated on January 20, 2026
Was this article helpful?
Yes No

Related Articles

Need Support?
Can't find the answer you're looking for?
Contact Support