This is how I set up DNSSEC on a Namecheap domain hosted on UpCloud using CloudFlare to setup DNS security extensions
If you have not read my previous posts I have now moved my blog to the awesome UpCloud host (signup using this link to get $25 free UpCloud VM credit). I compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here). Here is my blog post on moving from Vultr to UpCloud.
About DNSSEC
Wikipedia has a great write-up on DNSSEC also read the ICANN page on DNSSEC.
Snip “DNSSEC is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.”
https://daniellbenway.net has a great video explaining DNSSEC
Handy DNSSEC Links
- NameCheap – What is DNSSEC.
- NameCheap – How can I check if DNSSEC is working?
- Namecheap – Managing DNSSEC
- dnsviz.net – View my DNSSEC Status
- Cloudflare – How does DNS Sec Work?
- IETF RTC 3685 – Delegation Signer (DS) Resource Record (RR)
- DNSSEC – Domain Name System – Security Extensions
Let’s view my DNSSEC status now
https://dnssec-analyzer.verisignlabs.com/ can help you check your sites DNSSEC status.
Prerequisites
This guide assumes you have already purchased a domain and set it up with say UpCloud hosting (read my setup guide here).
Buy a domain name from Namecheap here.
Read my old guide here that I created while setting up Cloudflare on the Vultr host to see how to setup Cloudflare.
Setting up DNSSEC
First I logged into My Namecheap account, selected my domain, selected Advanced DNS and enabled DNSSEC.
I can see a number of values for DNSSEC KeyType/Algorithm/Digest Type and Digest. Below are the options in the dropdowns for Algorithm and Digest Type.
DNSSEC Algorithms
DNSSEC Digest Types
I contacted NameCheap support and they said I needed to contact my UpCloud hosts to get relevant DNSSEC values.
My domain was purchased at NameCheap but by domain routers by Cloudflare DNS.
By chance, I logged into my Cloudflare account and noticed they have a DNSSEC section under DNS. Nice.
I enabled DNSSEC
Cloudflare offers all the relevant DNSSEC values.
I entered these values into Namecheap under Advanced DNS on my domain.
After 5 mins re-ran the DNSSEC Analyzr tool.
Hmmm, Cloudflare seems to think something is wrong 🙁
I ran a DNS DS Lookup on my site. Everything appears ok.
I re-added the record in Namecheap and waited for 15 mins and this time Cloudflare was happy. Maybe I just needed to wait for DNS replication a little longer?
I tested my DNS serves with DNS Root Canary
I tested my site’s DNSSEC with https://zonemaster.iis.se/
Done
Skipping Cloudflare
I found that I can simply skip Cloudflare by enabling Premium DNS at Namecheap
Then enabling DNSSEC
Easy (totally independent of Cloudflare)
I hope this guide helps someone.
Please consider using my referral code and get $25 UpCloud VM credit for free.
https://www.upcloud.com/register/?promo=D84793
Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]
Revision History
V1.3 Namecheap DNSSEC
V1.2 ICANN DNSSEC link
V1.1 https://daniellbenway.net explainer video.
v1.0 Initial Post