# DNSSEC

By enabling DNSSEC for your domain, you help prevent attackers from redirecting users to malicious IP addresses by spoofing DNS responses.

In Hostware, DNSSEC is handled on two sides:

* Zone side (DNS host) where the zone is signed and DNS records are generated
* Domain side (registrar) where the DNSSEC linkage is published to the registrar

For DNSSEC to be fully active, both sides must be correctly configured.

After enabling DNSSEC, Hostware shows DNSSEC status and records (DS and/or DNSKEY, depending on provider flow) in the domain DNSSEC detail page.

You can also disable DNSSEC from Hostware. Depending on provider behavior, status changes may take some time to appear.

We currently have integrated DNSSEC at these domain modules:

* [OpusDNS](https://docs.hostware.io/modules/domains/opus-dns)
* [AutoDNS](https://docs.hostware.io/modules/domains/internetx-autodns)
* [CPS-Datensysteme](https://docs.hostware.io/modules/domains/cps-datensysteme)

### Opus DNS

Supports DNSSEC for both:

* Internal OpusDNS zones
* External DNS hosts like for example PowerDNS, Cloudflare

In the case of internal OpusDNS zones Hostware enables/disables DNSSEC on both zone and domain side.

<figure><img src="https://1141670261-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHupRK3qVDTomY8g3pcFA%2Fuploads%2Fq5zBXjD5j1Y3s873iiDK%2Fimage.png?alt=media&#x26;token=71901ec9-f8be-44c6-b2a9-ab01fd0b1694" alt=""><figcaption></figcaption></figure>

As for the case of external DNS hosts, Hostware enables DNSSEC on the external zone, then retrieves the DS records from the zone side and publishes them at OpusDNS registrar side automatically. So no manual DS entry is required.

### AutoDNS

DNSSEC is supported only when the domain uses an external DNS host. If the AutoDNS domain has not an external DNS host assignment, DNSSEC page is hidden.

<figure><img src="https://1141670261-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHupRK3qVDTomY8g3pcFA%2Fuploads%2Fq5W0eDtRQSE5Qu923aKW%2Fimage.png?alt=media&#x26;token=24028210-2728-4f2b-866d-19d42c65d4e3" alt=""><figcaption></figcaption></figure>

Hostware enables DNSSEC on external zone provider, then retrieves the DNSKEY data from there and submits DNSKEY to AutoDNS domain side.\
Keep in mind that AutoDNS domains updates are asynchronous, so domain-side status can be pending for a time during which the DNSSEC action buttons are disabled. After the process is done at AutoDNS, you can reload the page to get the final status.

### CPS-Datensysteme

Also for this provider DNSSEC is supported only when the domain uses an external DNS host, and if the domain doesn't have external DNS host the page isn't shown at all.\
So Hostware enables DNSSEC on external zone provider, gets the zone DNSKEY data and submits the key to the CPS domain side