X
How to Set Up and Troubleshoot DNSSEC for Your Domain?
DNSSEC helps protect your domainos DNS records from being tampered with during DNS resolution. It adds a layer of verification so that DNS resolvers can confirm the DNS response really comes from the correct source.
At NiceNIC, DNSSEC usually involves two sides:
Your DNS provider or nameserver provider generates the DNSSEC records.
NiceNIC, as your domain registrar, helps submit the DS records to the registry when the TLD supports DNSSEC.
If DNSSEC is not configured correctly, your domain may show DNSSEC errors, or in more serious cases, some users may not be able to access your website.
What Is DNSSEC?
DNSSEC stands for Domain Name System Security Extensions.
In simple terms, DNSSEC helps verify that the DNS answer for your domain has not been changed or forged during the lookup process.
For example, when someone visits your website, DNS is used to find the correct server IP address. DNSSEC helps make sure that the DNS result is authentic and has not been replaced with false data.
DNSSEC does not replace SSL, website security, hosting security, or email security. It only helps protect the DNS resolution process.
When Do You Need DNSSEC?
Incorrect DNSSEC settings may affect domain resolution.
Important DNSSEC Terms
DNSKEY: A DNSKEY record is generated by your DNS provider. It is used as part of the DNSSEC validation process.
DS Record: A DS record connects your domainos DNSSEC setup with the parent registry zone. In most cases, your DNS provider gives you the DS record, and you need to add it through your registrar.
Nameserver: Your nameservers decide where your domainos DNS records are managed. If you change nameservers, your DNSSEC records may also need to be updated.
How to Enable DNSSEC for Your Domain
Step 1: Check Whether Your DNS Provider Supports DNSSEC
Log in to the platform where your DNS is managed.
This may be:
Your domain registrar, here is NiceNIC
Your hosting provider
Your DNS provider
Your own DNS server
Another third-party DNS service
Make sure DNSSEC is supported and enabled there.
Step 2: Get the DS Record from Your DNS Provider
After enabling DNSSEC, your DNS provider should provide DNSSEC information such as:
Key Tag
Algorithm
Digest Type
Digest
DS Record
Please copy the information exactly as provided.
Even one incorrect character may cause DNSSEC validation failure.
Step 3: Add the DS Record in Your NiceNIC Account
Log in to your NiceNIC account and go to your domain management page.
Then add the DS record provided by your DNS provider.
If you are not sure where to add it, please contact our support team and provide the DS record from your DNS provider.
Step 4: Wait for DNSSEC Propagation
After the DS record is added, it may take some time for the update to propagate.
During this period, DNSSEC check results may not update immediately.
Step 5: Verify DNSSEC Status
After propagation, you may check your domainos DNSSEC status using a DNSSEC checking tool or by contacting our support team.
If DNSSEC is correctly configured, the DNSSEC validation result should show a valid chain of trust.
When Should You Disable or Remove DNSSEC?
You may need to remove or update DNSSEC records if:
In this case, you may need to remove the old DS records first, wait for propagation, and then re-enable DNSSEC with the correct new records.
Why Does My Domain Show "DNSSEC Information Is Currently Unavailable"?
You may see this message:
DNSSEC information is currently unavailable for this domain.
This can happen for several reasons:
However, if your website or email is not resolving correctly, please contact support so we can help review the DNSSEC configuration.
What Information Should I Provide to Support?
To help us check DNSSEC issues faster, please provide:
Frequently Asked Questions About DNSSEC
1. Is DNSSEC required for every domain?
No. DNSSEC is not required for every domain.
However, it is recommended for domains that need stronger DNS security, especially business websites, email services, login systems, financial services, and customer portals.
If you are not sure whether you need DNSSEC, please confirm whether your DNS provider supports it and whether you are comfortable managing DNSSEC records.
2. Is DNSSEC the same as SSL?
No.
SSL protects the connection between the useros browser and your website.
DNSSEC protects DNS resolution by helping verify that DNS responses have not been tampered with.
For better security, many websites use both SSL and DNSSEC, but they are different technologies.
3. Can NiceNIC generate DNSSEC records for me?
In most cases, DNSSEC records are generated by your DNS provider, not by the registrar.
NiceNIC can help submit the DS record to the registry when the domain extension supports DNSSEC.
If you use a third-party DNS provider, please enable DNSSEC there first and then provide us with the DS record.
4. Why does DNSSEC fail after I change nameservers?
This is one of the most common DNSSEC issues.
When you change nameservers, your old DNSSEC records may no longer match the new DNS provideros DNSKEY.
If the old DS record remains active at the registry level, DNSSEC validation may fail.
Before or after changing nameservers, you should check whether the DS record needs to be removed or replaced.
5. What happens if the DS record is wrong?
If the DS record does not match the DNSKEY published by your current DNS provider, DNSSEC validation may fail.
This may cause some DNS resolvers to reject the DNS response.
As a result, your website, email, or other services may become unreachable for some users.
6. I do not use DNSSEC. Do I need to do anything?
If you do not use DNSSEC and your domain has no DS records, usually no action is needed.
However, if your domain has old DS records from a previous DNS provider, you should remove them to avoid DNSSEC validation problems.
7. Why does my DNSSEC status still show an error after I updated the record?
DNSSEC updates may take time to propagate.
If you recently added, removed, or changed DS records, please wait for DNS propagation and check again later.
If the issue continues, please contact support and provide your domain name, current nameservers, and DS record.
8. Can DNSSEC cause my website to stop working?
Yes, if DNSSEC is incorrectly configured.
Common causes include:
9. Should I remove DNSSEC before changing nameservers?
In many cases, yes.
If you are moving to a new DNS provider and you are not sure how to migrate DNSSEC safely, removing the old DS record before changing nameservers can reduce the risk of DNSSEC validation failure.
After the new nameservers are active and DNSSEC is enabled at the new DNS provider, you can add the new DS record again.
10. What should I do if I see pFailure to get DNSSEC infoq?
This usually means the system could not retrieve valid DNSSEC information for the domain.
Please check:
How to set up DNSSEC for a domain registered on NiceNIC?
1. Log in to your NiceNIC account and navigate to your domain management page. Find the domain you wish to enable DNSSEC for and click Manage.
2. In the domain management section, you should see the DNSSEC button. Click on the DNSSEC button to access the DNSSEC settings page.
3. Enter the required information for DNSSEC configuration (this will typically include DNSSEC key details provided by your DNS hosting provider).
After entering the necessary DNSSEC key data (usually the DS record), you'll receive confirmation that DNSSEC has been successfully added to your domain settings.
The DNSSEC status will show as enabled and you'll be able to see the public keys and other details.
With DNSSEC now enabled, your domain is better protected against DNS-related attacks.
Attention: if your domain name was transferred into NiceNIC from another Registrar, and you hope to disable the DNSSEC previously with the old Registrar, please firstly check the latest whois, if you see "DNSSEC: unsigned", then it means during the domain transfer process, the DNSSEC settings have been disabled automatically by the old Registrar, while if it is "DNSSEC: signed", please check the domain management section at your control panel at NiceNIC, you should see the DNSSEC button, please click on the DNSSEC button to access the DNSSEC settings page.
DNSSEC helps protect your domainos DNS records from being tampered with during DNS resolution. It adds a layer of verification so that DNS resolvers can confirm the DNS response really comes from the correct source.
At NiceNIC, DNSSEC usually involves two sides:
Your DNS provider or nameserver provider generates the DNSSEC records.
NiceNIC, as your domain registrar, helps submit the DS records to the registry when the TLD supports DNSSEC.
If DNSSEC is not configured correctly, your domain may show DNSSEC errors, or in more serious cases, some users may not be able to access your website.
What Is DNSSEC?
DNSSEC stands for Domain Name System Security Extensions.
In simple terms, DNSSEC helps verify that the DNS answer for your domain has not been changed or forged during the lookup process.
For example, when someone visits your website, DNS is used to find the correct server IP address. DNSSEC helps make sure that the DNS result is authentic and has not been replaced with false data.
DNSSEC does not replace SSL, website security, hosting security, or email security. It only helps protect the DNS resolution process.
When Do You Need DNSSEC?
- You may want to enable DNSSEC if:
- Your website handles sensitive user information.
- You run business email, login systems, payment pages, or customer portals.
- You want stronger domain security.
- Your DNS provider supports DNSSEC.
- Your domain extension supports DNSSEC.
Incorrect DNSSEC settings may affect domain resolution.
Important DNSSEC Terms
DNSKEY: A DNSKEY record is generated by your DNS provider. It is used as part of the DNSSEC validation process.
DS Record: A DS record connects your domainos DNSSEC setup with the parent registry zone. In most cases, your DNS provider gives you the DS record, and you need to add it through your registrar.
Nameserver: Your nameservers decide where your domainos DNS records are managed. If you change nameservers, your DNSSEC records may also need to be updated.
How to Enable DNSSEC for Your Domain
Step 1: Check Whether Your DNS Provider Supports DNSSEC
Log in to the platform where your DNS is managed.
This may be:
Your domain registrar, here is NiceNIC
Your hosting provider
Your DNS provider
Your own DNS server
Another third-party DNS service
Make sure DNSSEC is supported and enabled there.
Step 2: Get the DS Record from Your DNS Provider
After enabling DNSSEC, your DNS provider should provide DNSSEC information such as:
Key Tag
Algorithm
Digest Type
Digest
DS Record
Please copy the information exactly as provided.
Even one incorrect character may cause DNSSEC validation failure.
Step 3: Add the DS Record in Your NiceNIC Account
Log in to your NiceNIC account and go to your domain management page.
Then add the DS record provided by your DNS provider.
If you are not sure where to add it, please contact our support team and provide the DS record from your DNS provider.
Step 4: Wait for DNSSEC Propagation
After the DS record is added, it may take some time for the update to propagate.
During this period, DNSSEC check results may not update immediately.
Step 5: Verify DNSSEC Status
After propagation, you may check your domainos DNSSEC status using a DNSSEC checking tool or by contacting our support team.
If DNSSEC is correctly configured, the DNSSEC validation result should show a valid chain of trust.
When Should You Disable or Remove DNSSEC?
You may need to remove or update DNSSEC records if:
- You changed your nameservers.
- You moved DNS management to another provider.
- Your DNS provider disabled DNSSEC.
- Your DS record no longer matches the current DNSKEY.
- Your website or email has DNS resolution issues after a DNS change.
In this case, you may need to remove the old DS records first, wait for propagation, and then re-enable DNSSEC with the correct new records.
Why Does My Domain Show "DNSSEC Information Is Currently Unavailable"?
You may see this message:
DNSSEC information is currently unavailable for this domain.
This can happen for several reasons:
- DNSSEC has not been enabled for this domain.
- No DS record has been added at the registrar level.
- The domainos current nameservers do not support DNSSEC.
- The domain recently changed nameservers.
- The DS record does not match the current DNSKEY.
- The DNS provider has not published the required DNSSEC records correctly.
- The registry or DNSSEC query is temporarily unavailable.
However, if your website or email is not resolving correctly, please contact support so we can help review the DNSSEC configuration.
What Information Should I Provide to Support?
To help us check DNSSEC issues faster, please provide:
- Your domain name
- Your current nameservers
- Whether you recently changed nameservers
- The DS record provided by your DNS provider
- A screenshot of the DNSSEC setting from your DNS provider
- Any DNSSEC error message you received
- Whether your website or email is currently affected
Frequently Asked Questions About DNSSEC
1. Is DNSSEC required for every domain?
No. DNSSEC is not required for every domain.
However, it is recommended for domains that need stronger DNS security, especially business websites, email services, login systems, financial services, and customer portals.
If you are not sure whether you need DNSSEC, please confirm whether your DNS provider supports it and whether you are comfortable managing DNSSEC records.
2. Is DNSSEC the same as SSL?
No.
SSL protects the connection between the useros browser and your website.
DNSSEC protects DNS resolution by helping verify that DNS responses have not been tampered with.
For better security, many websites use both SSL and DNSSEC, but they are different technologies.
3. Can NiceNIC generate DNSSEC records for me?
In most cases, DNSSEC records are generated by your DNS provider, not by the registrar.
NiceNIC can help submit the DS record to the registry when the domain extension supports DNSSEC.
If you use a third-party DNS provider, please enable DNSSEC there first and then provide us with the DS record.
4. Why does DNSSEC fail after I change nameservers?
This is one of the most common DNSSEC issues.
When you change nameservers, your old DNSSEC records may no longer match the new DNS provideros DNSKEY.
If the old DS record remains active at the registry level, DNSSEC validation may fail.
Before or after changing nameservers, you should check whether the DS record needs to be removed or replaced.
5. What happens if the DS record is wrong?
If the DS record does not match the DNSKEY published by your current DNS provider, DNSSEC validation may fail.
This may cause some DNS resolvers to reject the DNS response.
As a result, your website, email, or other services may become unreachable for some users.
6. I do not use DNSSEC. Do I need to do anything?
If you do not use DNSSEC and your domain has no DS records, usually no action is needed.
However, if your domain has old DS records from a previous DNS provider, you should remove them to avoid DNSSEC validation problems.
7. Why does my DNSSEC status still show an error after I updated the record?
DNSSEC updates may take time to propagate.
If you recently added, removed, or changed DS records, please wait for DNS propagation and check again later.
If the issue continues, please contact support and provide your domain name, current nameservers, and DS record.
8. Can DNSSEC cause my website to stop working?
Yes, if DNSSEC is incorrectly configured.
Common causes include:
- Wrong DS record
- Old DS record after nameserver change
- Missing DNSKEY
- DNS provider not publishing DNSSEC records correctly
- Expired or invalid DNSSEC signatures
9. Should I remove DNSSEC before changing nameservers?
In many cases, yes.
If you are moving to a new DNS provider and you are not sure how to migrate DNSSEC safely, removing the old DS record before changing nameservers can reduce the risk of DNSSEC validation failure.
After the new nameservers are active and DNSSEC is enabled at the new DNS provider, you can add the new DS record again.
10. What should I do if I see pFailure to get DNSSEC infoq?
This usually means the system could not retrieve valid DNSSEC information for the domain.
Please check:
- Whether DNSSEC is enabled
- Whether the DS record has been added
- Whether the nameservers support DNSSEC
- Whether the DS record matches the DNSKEY
- Whether you recently changed nameservers
How to set up DNSSEC for a domain registered on NiceNIC?
1. Log in to your NiceNIC account and navigate to your domain management page. Find the domain you wish to enable DNSSEC for and click Manage.
2. In the domain management section, you should see the DNSSEC button. Click on the DNSSEC button to access the DNSSEC settings page.
3. Enter the required information for DNSSEC configuration (this will typically include DNSSEC key details provided by your DNS hosting provider).
4. Once you've entered the information, click Add to enable DNSSEC for the domain. Hereos an example of a successful DNSSEC setup:
After entering the necessary DNSSEC key data (usually the DS record), you'll receive confirmation that DNSSEC has been successfully added to your domain settings.
The DNSSEC status will show as enabled and you'll be able to see the public keys and other details.
With DNSSEC now enabled, your domain is better protected against DNS-related attacks.
Attention: if your domain name was transferred into NiceNIC from another Registrar, and you hope to disable the DNSSEC previously with the old Registrar, please firstly check the latest whois, if you see "DNSSEC: unsigned", then it means during the domain transfer process, the DNSSEC settings have been disabled automatically by the old Registrar, while if it is "DNSSEC: signed", please check the domain management section at your control panel at NiceNIC, you should see the DNSSEC button, please click on the DNSSEC button to access the DNSSEC settings page.
Need help? We're always here for you.
Submit a Ticket
- Domain Names
- Registering Domains
- Domain Reseller
- Domain Pricing
- Whois Lookup
- Our Products
- Dedicated Server
- Cloud Server
- SSL Certificates
- Business Email
- Company Profile
- About NiceNIC
- Domain News
- Payment Method
- Agreements
- Customer Support
- Help Center
- Submit a Ticket
- Contact Us
- Report Abuse
Copyright © 2006-2026 NICENIC INTERNATIONAL GROUP CO., LIMITED All Rights Reserved