<!DOCTYPE html> <html lang="en-us"> <head> <title>Securing DNS (DNSSEC) - American Registry for Internet Numbers</title> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge" /> <meta name="viewport" content="width=device-width,minimum-scale=1" /> <meta name="description" content="Understanding DNS Domain Name System (DNS) is the hierarchical naming system for all resources connected to the Internet or a private network, including …" /> <meta name="keywords" content="" /> <meta name="revised" content="1739305067" /> <meta name="priority" content="1" /> <meta property="og:url" content="https://www.arin.net/resources/manage/dnssec/" /> <meta property="og:type" content="website" /> <meta property="og:title" content="Securing DNS (DNSSEC)" /> <meta property="og:description" content="Understanding DNS Domain Name System (DNS) is the hierarchical naming system for all resources connected to the Internet or a private network, including …" /> <meta property="og:image" content="https://www.arin.net//img/logo-social.png" /> <meta name="twitter:card" content="summary" /> <meta name="twitter:site" content="@teamarin" /> <link rel="canonical" href="https://www.arin.net/resources/manage/dnssec/" /> <link rel="shortcut icon" href="/img/favicon.ico" /> <link rel="alternate" type="application/rss+xml" href="https://www.arin.net/resources/manage/dnssec/rss.xml" title="American Registry for Internet Numbers" /> <link href="/css/styles.min.38244348277bfc3dce1f0af0ad71ef31c7260b29dabd9076f52fecd499275019.css" rel="stylesheet" type="text/css" /> <link href="/css/font-awesome.min.css" rel="stylesheet" type="text/css" /> <script src="/js/head-scripts.min.js"></script> <script src="/js/externals.js"></script> </head> <body class="d-flex flex-column"> <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5VJ67SD" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript> <div class="flex-shrink-0"> <header> <div class="container-fluid" id="top-bar"> <a href="#main-con" class="skip-link visually-hidden-focusable">Skip to main content</a> <div class="header-con"> <div class="row"> <div id="top-bar-logo"><a href="/"><img src="/img/logo-inverse-nowords.svg" alt="The ARIN logo" /></a></div> <div id="display-ip"> <p> <a id="scroll-icon-link" href="/" aria-label="Home"><img id="scroll-icon" src="/img/icon-inverse-color.svg" alt="The ARIN logo" /></a> Your IP<span id="ip-type"></span> address is <strong id="ip-address"></strong> </p> </div> <div id="login-links"><a id="login-link-outage" href="https://www.arin.net//notices" data-bs-toggle="tooltip" data-bs-placement="left" data-bs-container="#top-bar" title="Services currently unavailable" style="display:none"> <i class="fa fa-ban fa-fw" aria-hidden="true"></i> <span>Log in</span> </a> <span id="notification-link-container"></span> <a id="login-link" href="https://account.arin.net/public/login"> <i class="fa fa-user fa-fw" aria-hidden="true"></i> <span>Log in</span> </a> <a id="account-link-container" aria-expanded="false" href="javascript:void(0)"> <i class="fa fa-user fa-fw" aria-hidden="true"></i> <span id="account-link">User</span> <i class="fa fa-caret-down fa-fw" aria-hidden="true"></i> </a> </p> <div id="account-link-dropdown"> <ul id="account-link-dropdown-list"> <li id="account-dashboard-item"> <a id="account-dashboard-link" class="account-link-action" href="https://account.arin.net/public/secure/dashboard"> <i class="fa fa-fw fa-dashboard"></i> Dashboard </a> </li> <li id="account-settings-item"> <a id="account-settings-link" class="account-link-action" href="https://account.arin.net/public/secure/profile"> Settings <small>Profile and security information</small> </a> </li> <li> <a id="account-logout-link" href="https://account.arin.net/public/logout"> Log Out </a> </li> </ul> </div> </div> </div> </div> </div> <div class="container-fluid" id="logo-bar"> <div class="header-con"> <div class="row" id="universal-links"> <div id="logo-con"> <a href="/" aria-label="Home"> <img src="/img/logo-stnd.svg" alt="The ARIN logo" /> </a> </div> <div id="search-con"> <div class="input-group" role="search" aria-label="Universal Search"> <input type="text" name="q" id="input-box" class="form-control" placeholder="Search Site or Whois" aria-label="Search Site or Whois" onkeyup="InputChanged(event, document.getElementById('input-box').value)" /> <button class="btn btn-navbar" type="button" onclick="Search(document.getElementById('input-box').value)">Search</button> </div> </div> <span class="search-tou">all requests subject to <a href="/resources/registry/whois/tou/">terms of use</a>&nbsp;&nbsp;</span> </div> </div> </div> </header> <div class="container-fluid" id="nav-wrapper" data-sj-ignore> <div class="container"> <nav class="navbar navbar-expand-lg bg-light navbar-light yamm" aria-label="main navigation"> <a class="navbar-brand" href="/" aria-label="Home"><i class='fa fa-home fa-fw'></i></a> <button class="btn btn-navbar" id="navbar-search-btn" type="button" href="javascript:void(0)" onclick="Search()"> <span class="visually-hidden">Search</span> <i class="fa fa-lg fa-search"></i> </button> <button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#js-navbar-collapse" aria-controls="js-navbar-collapse" aria-expanded="false" aria-label="Toggle navigation"> <span class="navbar-toggler-icon"></span> </button> <div id="js-navbar-collapse" class="collapse navbar-collapse js-navbar-collapse"> <ul class="navbar-nav"> <li class="nav-item drophover yamm-fw wayfinder"> <a href="/resources/" class="nav-link drophover-toggle">IP Addresses &amp; ASNs</a><ul class="drophover-menu"> <li> <div class="yamm-content"> <div class="row"> <ul> <li class="mega-header"> <a href="/resources/guide/">Get Started</a> </li> <li><a href="/resources/guide/account/">ARIN Account Management</a></li> <li><a href="/resources/guide/request/">Requesting IP Addresses or ASNs</a></li> <li><a href="/resources/guide/ipv6/">IPv6 Information</a></li> <li><a href="/resources/guide/ipv4/">IPv4 Addressing Options</a></li> <li><a href="/resources/guide/asn/">Autonomous System Numbers</a></li> <li><a href="/resources/guide/legacy/">Legacy Resources at ARIN</a></li> </ul> <ul> <li class="mega-header"> <a href="/resources/fees/">Fee &amp; Billing Information</a> </li> <li><a href="/resources/fees/fee_schedule/">Fee Schedule</a></li> <li><a href="/resources/fees/psp/">Premier Support Plan (PSP)</a></li> <li><a href="/resources/fees/payment/">Make a Payment</a></li> <li><a href="/resources/fees/contact/">How Billing Works</a></li> <li><a href="/resources/fees/returns/">Resource Revocation, Returns, and Reinstatement</a></li> </ul> <ul> <li class="mega-header"> <a href="/resources/registry/">IP &amp; ASN Registry Services</a> </li> <li><a href="/resources/registry/manage/">Managing Resource Records</a></li> <li><a href="/resources/registry/transfers/">Transferring IP Addresses &amp; ASNs</a></li> <li><a href="/resources/registry/reassignments/">Reporting Reassignments</a></li> <li><a href="/resources/registry/originas/">Autonomous System Originations (Origin AS)</a></li> <li><a href="/resources/registry/whois/">Using Whois</a></li> </ul> <ul> <li class="mega-header"> <a href="/resources/manage/">Resource Management Services</a> </li> <li><a href="/resources/manage/regrws/">Automating Record Management with Reg-RWS</a></li> <li><a href="/resources/manage/dnssec/">Securing DNS (DNSSEC)</a></li> <li><a href="/resources/manage/routingsecurity/">Routing Security Eligibility FAQs</a></li> <li><a href="/resources/manage/rpki/">Resource Certification (RPKI)</a></li> <li><a href="/resources/manage/irr/">Internet Routing Registry (IRR)</a></li> <li><a href="/resources/manage/reverse/">Reverse DNS</a></li> </ul> </div> </div> </li> </ul></li> <li class="nav-item drophover yamm-fw"> <a href="/participate/" class="nav-link drophover-toggle">Policy &amp; Participation</a><ul class="drophover-menu"> <li> <div class="yamm-content"> <div class="row"> <ul> <li class="mega-header"> <a href="/participate/policy/">Policy</a> </li> <li><a href="/participate/policy/nrpm/">Number Resource Policy Manual</a></li> <li><a href="/participate/policy/pdp/">Policy Development Process (PDP)</a></li> <li><a href="/participate/policy/drafts/">Draft and Recommended Draft Policies</a></li> <li><a href="/participate/policy/proposals/">Policy Proposals</a></li> </ul> <ul> <li class="mega-header"> <a href="/participate/meetings/">Meetings &amp; Events</a> </li> <li><a href="/participate/meetings/upcoming/">Public Policy and Members Meetings</a></li> <li><a href="/participate/meetings/outreach/">Outreach Events</a></li> <li><a href="/participate/meetings/fellowships/">ARIN Fellowship Program</a></li> <li><a href="/participate/meetings/sponsors/">Sponsorship</a></li> <li><a href="/participate/meetings/past/">Past Meetings</a></li> </ul> <ul> <li class="mega-header"> <a href="/participate/oversight/">Membership &amp; Elections</a> </li> <li><a href="/participate/oversight/membership/">Membership</a></li> <li><a href="/participate/oversight/elections/">Elections</a></li> </ul> <ul> <li class="mega-header"> <a href="/participate/community/">Community Interaction</a> </li> <li><a href="/participate/community/community_surveys/">ARIN Community Satisfaction Surveys</a></li> <li><a href="/participate/community/mailing_lists/">Mailing Lists</a></li> <li><a href="/participate/community/acsp/">Consultations &amp; Suggestions</a></li> </ul> </div> </div> </li> </ul></li> <li class="nav-item drophover yamm-fw"> <a href="/reference/" class="nav-link drophover-toggle">Reference &amp; Tools</a><ul class="drophover-menu"> <li> <div class="yamm-content"> <div class="row"> <ul> <li class="mega-header"> <a href="/reference/tools/">Tools</a> </li> <li><a href="/reference/tools/testing/">Operational Test and Evaluation (OT&amp;E) Environment</a></li> <li><a href="/reference/tools/cidr/">CIDR Calculator</a></li> <li><a href="/reference/tools/software/">Community Software Repository</a></li> <li><a href="/reference/tools/fraud_report/">Internet Number Resource Fraud Reporting</a></li> </ul> <ul> <li class="mega-header"> <a href="/reference/materials/">Reference</a> </li> <li><a href="/reference/materials/abuse/">Spam &amp; Network Abuse Reporting</a></li> <li><a href="/reference/materials/data/">Registry Data Description</a></li> <li><a href="/reference/materials/accuracy/">Data Accuracy</a></li> <li><a href="/reference/materials/security/">Information Security at ARIN</a></li> <li><a href="/reference/materials/software/">ARIN Software Releases</a></li> </ul> <ul> <li class="mega-header"> <a href="/reference/research/">Research</a> </li> <li><a href="/reference/research/statistics/">Statistics &amp; Reporting</a></li> <li><a href="/reference/research/whowas/">Historical Whois Data (WhoWas)</a></li> <li><a href="/reference/research/bulkwhois/">Bulk Whois Data</a></li> </ul> <ul> <li class="mega-header"> <a href="/reference/training/">Training &amp; Education</a> </li> <li><a href="/reference/training/leadership/">ARIN Leadership Development Program</a></li> <li><a href="/reference/training/webinars/">Instructional Webinars</a></li> <li><a href="/reference/training/resources/">Resource Materials</a></li> <li><a href="/reference/training/help_videos/">ARIN Online Help Videos</a></li> </ul> </div> </div> </li> </ul></li> <li class="nav-item drophover yamm-fw"> <a href="/about/" class="nav-link drophover-toggle">About</a><ul class="drophover-menu"> <li> <div class="yamm-content"> <div class="row"> <ul> <li class="mega-header"> <a href="/about/welcome/">Welcome to ARIN</a> </li> <li><a href="/about/welcome/staff/">Organization Structure &amp; Staff</a></li> <li><a href="/about/welcome/region/">Our Region</a></li> <li><a href="/about/welcome/board/">ARIN Board of Trustees</a></li> <li><a href="/about/welcome/ac/">Advisory Council</a></li> <li><a href="/about/welcome/nronc/">NRO Number Council</a></li> <li><a href="/about/welcome/careers/">Careers</a></li> </ul> <ul> <li class="mega-header"> <a href="/about/corporate/">Corporate Documentation</a> </li> <li><a href="/about/corporate/documents/">Corporate Documents</a></li> <li><a href="/about/corporate/annual/">Annual Reports</a></li> <li><a href="/about/corporate/planning/">Strategic Planning &amp; Budgeting</a></li> <li><a href="/about/corporate/agreements/">Agreements</a></li> <li><a href="/about/corporate/history/">History of ARIN</a></li> <li><a href="/about/corporate/vendors/">Third-Party Vendors and IPv6</a></li> </ul> <ul> <li class="mega-header"> <a href="/about/community_grants/">Community Grants</a> </li> <li><a href="/about/community_grants/program/">ARIN Community Grant Program</a></li> <li><a href="/about/community_grants/recipients/">Community Grant Program Recipients</a></li> </ul> <ul> <li class="mega-header"> <a href="/about/relations/">External Relations</a> </li> <li><a href="/about/relations/governance/">Internet Governance</a></li> <li><a href="/about/relations/membership/">Memberships, Sponsorships, and MOUs</a></li> <li><a href="/about/relations/law_enforcement/">Law Enforcement &amp; Public Safety</a></li> <li><a href="/about/relations/community/">Technical Community</a></li> </ul> </div> </div> </li> </ul></li> <li class="nav-item drophover yamm-fw"> <a href="/blog/" class="nav-link drophover-toggle no-caret">Blog</a></li> </ul> <a id="payment-btn" class="btn navbar-btn ms-auto" href="/resources/fees/payment" role="button">Pay Now</a> <a id="feedback-btn" class="btn navbar-btn outage-guard" href="javascript:void(0)" role="button">Feedback</a> </div> </nav> </div> </div> <nav class="container" id="bread-con" aria-label="Breadcrumb"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="https://www.arin.net/" aria-label="Home">Home</a></li> <li class="breadcrumb-item"><a href="https://www.arin.net/resources/">IP Addresses &amp; ASNs</a></li> <li class="breadcrumb-item"><a href="https://www.arin.net/resources/manage/">Resource Management Services</a></li> <li class="breadcrumb-item active" aria-current="page">Securing DNS (DNSSEC)</li> </ol> <ol class="breadcrumb breadcrumb-mobile"> <li class="breadcrumb-item"><a href="https://www.arin.net/resources/manage/">Resource Management Services</a></li> </ol> </nav> <div class="container" id="main-con" role="main"> <h1>Securing DNS (DNSSEC)</h1> <div class="row"> <div class="toc-con toc-sticky"> <a data-bs-toggle="collapse" class="has-toggle mobile-toggle" role="button" href="#toc-collapse" aria-expanded="true" aria-controls="toc-collapse"> <h2 id="toc-header" class="sidebar">On this page</h2> </a> <a href="#main-text" class="btn btn-light toc-skip visually-hidden-focusable">Skip to main text</a> <p id="toc-scroll-tip" aria-hidden="true"> <i class="fa fa-fw fa-arrow-down"></i> Scroll for more <i class="fa fa-fw fa-arrow-down"></i> </p> <div class="collapse show" id="toc-collapse"> <nav id="TableOfContents"> <ul> <li><a href="#understanding-dns">Understanding DNS</a> <ul> <li><a href="#dns-zones">DNS Zones</a></li> <li><a href="#dns-resource-records">DNS Resource Records</a></li> <li><a href="#choosing-how-to-deploy-dnssec">Choosing How to Deploy DNSSEC</a></li> </ul> </li> <li><a href="#managing-reverse-dns-and-dnssec-for-resources-issued-by-arin">Managing Reverse DNS and DNSSEC for Resources Issued by ARIN</a> <ul> <li><a href="#managing-reverse-dns-using-arin-online">Managing Reverse DNS Using ARIN Online</a> <ul> <li><a href="#adding-or-modifying-nameservers">Adding or Modifying Nameservers</a></li> </ul> </li> <li><a href="#adding-or-deleting-ds-records-using-arin-online">Adding or Deleting DS Records Using ARIN Online</a></li> </ul> </li> </ul> </nav></div> <a id="related-jump-link" href="#related-jump">Jump to related content</a> </div> <div id="main-text" class="three-col-text"> <h2 id="understanding-dns">Understanding DNS</h2> <p><em>Domain Name System (DNS)</em> is the hierarchical naming system for all resources connected to the Internet or a private network, including websites, mail servers and application servers. Domain names are human-friendly identifiers (names) that are paired with the computer-friendly IP addresses (numbers). Domain names allow users to find a specific domain or object on the Internet, and direct their Internet-capable devices to it. For instance, the domain name <code>www.example.com</code> translates to the addresses <code>192.0.32.10</code> (IPv4) and <code>2606:2800:220:1:248:1893:25c8:1946</code> (IPv6). Both identify the same website, but <code>www.example.com</code> is easier for a person to remember and use.</p> <p>Domain names are categorized hierarchically within DNS servers, or nameservers. When you access a web site or send an email, your device uses a nameserver to look up that particular domain name. This process is formally referred to as DNS name resolution. Nameservers exist for each domain, preventing the need for a single location or server to be in charge of any and all DNS information and any changes made to it.</p> <div class="card well"> <div class="card-body"> <em>Reverse DNS</em>, or <em>reverse resolution</em>, is a system that provides the name of a domain or object when a user or device initially provides an IP address. Visit the <a href="/resources/manage/reverse/">Reverse DNS</a> page for more information. </div> </div> <p>While DNS is invaluable to the Internet community, it is not without vulnerability. Internet criminals are capable of creating false DNS records, which may trick users into visiting websites or downloading malicious software.</p> <div class="card well"> <div class="card-body"> In 2011, the FBI’s <a href="https://archives.fbi.gov/archives/newyork/press-releases/2011/manhattan-u.s.-attorney-charges-seven-individuals-for-engineering-sophisticated-internet-fraud-scheme-that-infected-millions-of-computers-worldwide-and-manipulated-internet-advertising-business">Operation Ghost Click</a> took down a group of Estonian and Russian hackers who used a DNS Changer botnet that hijacked over 4 million computers worldwide and made the group $14 million from fraudulent advertising revenue. </div> </div> <p>DNSSEC protects the Internet from these kinds of attacks using public-key cryptography. It allows users to validate that the DNS records they receive came from the correct source. <em>Domain Name System Security (DNSSEC)</em> provides verification of the name and IP address data so Internet traffic reaches the proper destination.</p> <h3 id="dns-zones">DNS Zones</h3> <p>The DNS structure is hierarchically divided into segments called zones. Each DNS zone is responsible for a variety of tasks, such as defining that zone’s naming hierarchy and reg-istration procedures, and operating DNS servers to store that naming hierarchy. DNS zones may be separated by locality, organization, department, or by specific individuals registered to use a domain or sub-domain.</p> <p>The original “base” zone is referred to as the “parent” zone, e.g. example.com; the sepa-rated subdomain is referred to as “child” zone, e.g. sub.example.com. With each subdivi-sion of a DNS zone, the “child” zones must contain records that provide referral infor-mation to other DNS servers, so that users querying the DNS can find the domain(s) with-in that zone. These records are called Nameserver (NS) records. In order for delegations to function properly, every parent zone must contain NS records for each of its child zones.</p> <h3 id="dns-resource-records">DNS Resource Records</h3> <p>There are many types of records within the DNS that specify information about a given resource. These records might contain the resource’s IP address, nameserver information, geographic location, etc. The Internet Assigned Numbers Authority (IANA) provides <a href="https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4">a list of DNS record types</a>.</p> <p>DNSSEC is enabled with the addition of the following DNS record types:</p> <ul> <li><strong>RRSIG (Resource Record Signature)</strong>: This record is provided by a DNS server whenever the DNS receives a query from a DNS resolver (the program responsible for initiating and sequencing DNS queries) for information about a particular resource.</li> <li><strong>DNSKEY (DNS Key)</strong>: This record contains the cryptographic keys used to sign zone file records (records describing the contents and structure of a DNS zone). DNSSEC involves using DNSKEY records to cryptographically verify RRSIG records and ensure that outgoing Internet traffic is always sent to the correct place.</li> <li><strong>DS (Delegation Signer)</strong> This record indicates that a certain child zone is digitally signed and that the key used to sign that zone’s Resource Record set is recognized as valid. These records are crucial to the chain of trust model DNSSEC is designed for. Each parent domain’s DS record is used to verify the DNSKEY record in its subdomain, from the top of the DNS hierarchy down.</li> <li><strong>NSEC (Next Secure)</strong>: This record’s sole purpose is to prove that no records exist between two other records, preventing malicious parties from inserting false records into a DNSSEC-protected zone.</li> </ul> <h3 id="choosing-how-to-deploy-dnssec">Choosing How to Deploy DNSSEC</h3> <p>DNSSEC deployment is complex, and there are a variety of deployment strategies available depending on your organization’s objectives. General DNSSEC deployment models include:</p> <ul> <li><strong>Do it yourself:</strong> As the name implies, this method consists of your organization finding the scripts, tools and software required to DNSSEC-enable your zone and configure them properly so that they work for your environment. This method has a higher learning curve and research requirement, but is more easily audited if you keep records of what you do.</li> <li><strong>Hosted solutions:</strong> Many organizations offer DNSSEC deployment and management services for organizations that may not have sufficient manpower or training to do so in-house. This option eliminates the high learning curve, but may cost more.</li> <li><strong>Automated:</strong> Some organizations may want to secure their DNS zones, but not have the time or manpower to take on a manual deployment of DNSSEC. There are automated DNSSEC deployment/maintenance products available that will handle secure key signing and re-signing, key rollover, and will allow online dynamic content and automatic record keeping.</li> </ul> <p>Which deployment method will work best for your organization? Consider the following:</p> <p>Does your organization have</p> <ul> <li>The expertise and training to properly enable DNSSEC?</li> <li>The staff and resources to deploy and maintain DNSSEC?</li> <li>The rigorous process discipline to keep DNSSEC working?</li> </ul> <p>Also consider these issues:</p> <ul> <li>What level of security does your organization want; Is your organization prepared to implement it?</li> <li>Will your organization&rsquo;s number and size of zones and how often they change considerably complicate your DNSSEC maintainence?</li> <li>Does your organization need detailed logs and records for the resources you use for potential auditing purposes?</li> </ul> <p>Assess your needs against the questions and issues listed above to get a better idea of which method best suits your organization.</p> <h2 id="managing-reverse-dns-and-dnssec-for-resources-issued-by-arin">Managing Reverse DNS and DNSSEC for Resources Issued by ARIN</h2> <p>ARIN&rsquo;s <a href="https://www.arin.net/resources/manage/regrws/methods/#delegations">RESTful provisioning system (Reg-RWS)</a> provides delegation management tools to individually manage reverse DNS within IPv4 and IPv6 networks once your zones are DNSSEC-enabled. You will need an <a href="/resources/guide/account/">ARIN Online account</a> with an <a href="/reference/materials/security/api_keys/">API Key</a> to use Reg-RWS. ARIN members may choose to DNSSEC-enable their reverse zones by submitting DS Records to ARIN. These DS records point to DNSKEY Resource Records that are held in the zone being maintained.</p> <h3 id="managing-reverse-dns-using-arin-online">Managing Reverse DNS Using ARIN Online</h3> <p>To manage reverse DNS for your resources using ARIN Online:</p> <ol> <li>Log in to ARIN Online.</li> <li>On the <strong>Account Manager</strong> dashboard, choose <strong>Networks [NETs]</strong> or select <strong>IP Addresses</strong> &gt; <strong>Manage Networks</strong> in the left-hand navigation menu.</li> <li>On the <strong>Manage Networks</strong> page, enter the network in the search field and select <strong>Search</strong> then choose the Net Handle for the network you want to modify.</li> <li>On the <strong>View &amp; Manage Network</strong> page, select <strong>Manage Reverse DNS</strong> in the Reverse DNS Information table.</li> </ol> <p>A list is shown of the reverse DNS zones that you have permission to modify, the nameservers delegated to that zone, any registered DS resource record key tags, and the names of any organizations with shared authority over a zone.</p> <h4 id="adding-or-modifying-nameservers">Adding or Modifying Nameservers</h4> <p>The nameserver is the directory (usually managed by your hosting company) that translates domain names to IP addresses. To change the nameservers for the DNS zone or add new nameservers:</p> <ol> <li>In the <strong>Manage Reverse DNS</strong> page, select the zones you want to change and choose <strong>Modify Nameservers</strong>.</li> <li>Specify the hostnames (not the IP addresses) of the nameservers that should be authoritative for all of the reverse DNS delegations listed in the <strong>Selected Delegations</strong> field. Modifications are applied to all listed delegations, and any previous nameservers are deleted.</li> <li>For each nameserver, enter a Time To Live (TTL) value. If a TTL is not specified, a default of 86400 seconds is used.</li> <li>(Optional) Choose <strong>Add Nameserver</strong> to add additional nameservers.</li> <li>Choose <strong>Apply to All</strong>. Changes are reflected immediately in the ARIN database, but may take 24 hours to be visible in DNS.</li> </ol> <h3 id="adding-or-deleting-ds-records-using-arin-online">Adding or Deleting DS Records Using ARIN Online</h3> <p>DS records are used to secure delegated zones. They contain the information used to verify the authenticity of the zones, such as encrypted information about the key used to sign the DNS record.</p> <p>ARIN accepts DS information in space-delimited text format with the following fields:</p> <ul> <li>Zone: Optional; this field is ignored</li> <li>Class: Optional; default value = IN</li> <li>Time to Live: Optional; default value = 86400 seconds</li> <li>Resource Record Type: Delegation signer; value = DS</li> <li>Key Tag: 2-byte integer</li> <li>Algorithm: 1-byte integer; 5, 7, 8, 10, 13, 14, 15 or 16</li> <li>Digest Type: 1-byte integer; 1, 2, 3, or 4</li> <li>Digest: hex-encoded digest</li> </ul> <p>The format would appear similar to the following example (without the explanatory header row):</p> <p><img src="/resources/manage/dnssec/ds_record.png" alt="image containing a sample DS record" /></p> <p>To manage DS records using ARIN Online:</p> <ol> <li>In the <strong>Manage Reverse DNS</strong> page, select the zones you want to change and choose <strong>Modify DS Records</strong>.</li> <li>A list of current DS records is displayed. You can delete records or upload new records. To upload new records:</li> </ol> <ul> <li>In the <strong>Add DS Records</strong> section, either paste the text of the DS record into the DS Records field, or choose a .txt file that contains the DS record and upload it.</li> <li>After the text of the DS Record is shown in the field, choose <strong>Parse DS Record</strong>. After the record is parsed, or checked for validity, it appears in the list of records.</li> <li>When you finish adding the DS records, choose <strong>Apply to All</strong>. Changes are reflected immediately in the ARIN database, but may take 24 hours to be visible in DNS.</li> </ul> </div> <div class="right-rail"> <div class="rr-content"> <a name="related-jump"></a> <h2 class="sidebar">Securing DNS (DNSSEC)</h2> <ul><li><a href="/resources/manage/dnssec/trust_anchors/">DNSSEC Trust Anchors from ARIN</a></li> </ul> <h2 class="sidebar">Related</h2> <ul> <li><a href="https://www.arin.net/resources/manage/reverse/">Reverse DNS</a></li> <li><a href="https://www.arin.net/reference/materials/security/api_keys/">Application Programming Interface (API) Keys</a></li> <li><a href="https://www.arin.net/resources/manage/regrws/">Automating Record Management with Reg-RWS</a></li> <li><a href="/participate/community/mailing_lists/#technical-discussions">ARIN Technical Discussions Mailing List</a></li> </ul> <p data-sj-ignore> <strong>Registration Services Help Desk</strong><br> 7:00 AM to 7:00 PM ET<br> Phone: &#43;1.703.227.0660<br> Fax: &#43;1.703.997.8844<br> </p> <p data-sj-ignore><a href="/resources/guide/helpdesk/">Tips for Calling the Help Desk</a></p> </div> </div> </div> </div> </div> <footer> <nav id="foot-top" class="btt" aria-labelledby="foot-top-label"><span id="foot-top-label"><a href="javascript:void(0)">Back to top</a></span></nav> <div id="scroll-btt" class="btt" aria-hidden="true"><i class="fa fa-lg fa-chevron-up"></i><p>Back<br>to top</p></div> <div class="foot-content"> <div class="row"> <div class="foot-col"> <ul class="foot-links"> <li><a href="https://account.arin.net/public/terms-of-service">Terms of Service</a></li> <li><a href="/sitemap/">Site Map</a></li> <li><a href="/about/privacy/">Privacy Policy</a></li> <li><a href="/reference/materials/abuse/">Network Abuse</a></li> <li><a href="/reference/accessibility">Accessibility</a></li> <li><a href="/about/corporate/standards/">Standards of Behavior</a></li> </ul> </div> <div class="foot-col"> <p class="foot-copy"> <img src="/img/logo-reverse.svg" alt="The ARIN logo" style="max-width:300px" /> &copy; Copyright 1997<span id="copy-date"> &ndash; 2025</span>, American Registry for Internet Numbers, Ltd. </p> <p class="foot-copy"> <a href="http://www.nro.net/"><img src="/img/nro-logo2.png" alt="Visit the NRO website" /></a> </p> <p class="foot-copy"> A member of the Number Resource Organization </p> </div> <div class="foot-col"> <p class="foot-contact"> <a href="https://arin.statuspage.io/">Service Status</a> </p> <p class="foot-contact"> <a href="/contact/">Contact Us</a> </p> <p class="foot-contact"> Registration Services: <a href="tel:+1-703-227-0660">+1.703.227.0660</a><br /> Financial Services: <a href="tel:+1-703-227-9886">+1.703.227.9886</a><br /> Main: <a href="tel:+1-703-227-9840">+1.703.227.9840</a> </p> <p class="foot-contact"> <ul class="foot-social list-inline"> <li class="list-inline-item"><a href="https://www.facebook.com/TeamARIN"><i class="fa fa-facebook-official fa-fw" aria-hidden="true"></i><span>Visit ARIN on Facebook</span></a></li> <li class="list-inline-item" id="x-logo"><a href="https://x.com/TeamARIN"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><path d="m99.45,9.05c0-5.62-2.88-8.52-8.44-8.52-27.32-.02-54.65-.02-81.97,0C3.28.53.54,3.34.54,9.17c0,13.66,0,27.32,0,40.98,0,13.58,0,27.16,0,40.73,0,5.73,2.84,8.58,8.62,8.59,27.16.02,54.31.02,81.47,0,5.91,0,8.82-2.87,8.83-8.7.02-27.24.02-54.48,0-81.72Zm-32.66,83.26c-7.38-10.72-14.86-21.6-22.48-32.68-9.55,11.1-18.94,22.01-28.25,32.83h-7.29c10.94-12.72,21.58-25.09,32.3-37.56C30.37,39.31,19.7,23.77,8.81,7.92h24.64c6.96,10.12,14.07,20.45,21.34,31.01,9.06-10.53,17.95-20.86,26.79-31.12h7.28c-10.42,12.12-20.57,23.93-30.82,35.86,11.08,16.13,22.14,32.23,33.41,48.64h-24.65Z"/><path d="m81.49,87.11h-11.23C53.25,62.79,36.14,38.32,18.81,13.52h11.23c16.94,24.23,34.05,48.7,51.45,73.59Z"/></svg><span>Visit ARIN on X</span></a></li> <li class="list-inline-item"><a href="https://www.linkedin.com/company/arin"><i class="fa fa-linkedin-square fa-fw" aria-hidden="true"></i><span>Visit ARIN on LinkedIn</span></a></li> <li class="list-inline-item"><a href="https://www.youtube.com/c/teamarin/"><i class="fa fa-youtube-square fa-fw" aria-hidden="true"></i><span>Visit ARIN on YouTube</span></a></li> </ul> </p> <p class="foot-contact"> <a href="/about/media/">Media</a> </p> </div> </div> </div> </footer> <div id="preload" aria-hidden="true"></div> <script src="/js/bootstrap.bundle.min.js"></script> <script src="/js/static-utils.js"></script> <script src="/js/global.min.974981a278643637e72134a2483926295883e36c22cfc3dcd5a707670eef792d.js"></script> <script src="https://c2y23vzfb5cg.statuspage.io/embed/script.js"></script> </body> </html>