Article overview

Help article

How can I secure domains that use custom nameservers with DNSSEC ?

If you wish to secure your domain name with DNSSEC and you're using your own custom nameservers, you can configure DNSSEC inside your control panel.

If you're using the TransIP nameservers, DNSSEC will automatically be enabled. Use this article if you want to manually configure DNSSEC in your control panel.

Domain extensions that support DNSSEC

DNSSEC can be configured for nearly every domain extension. Take a look at our wide assortment of domain names and search for a domain extension. Next, click on 'More information' to see if the domain extension supports DNSSEC.

Configuring DNSSEC in your control panel

Visit the control panel and head to 'Domain' at the top of the page. Next, select your domain name on the left hand side (don't check the box).

At the top of the page you will see your domain name and the button 'Manage' next to it. Click on this button and select 'DNSSEC settings'.

dnssec settings

Take note: You will only be able to configure the DNSSEC settings when using your own custom nameservers. If you're using the TransIP nameservers, DNSSEC will automatically be used for your domain name and the 'DNSSEC settings' button will not be visible.

We recommend using a zone-signer script in order to complete your DNSSEC settings, such as ‘Zonesigner’. Please note that you will need both Bind and Perl to use Zonesigner.

If you are name servers from another service such as CloudFlare, the Key Tag, algorithm and KSK (Key Signing Key) will be provided by them.

After clicking on 'DNSSEC settings' you will find yourself on the following page.

dnssec settings

Below you can find an explanation of the different DNSSEC settings.

Key Tag:
The required Key Tag consists of 4 or 5 digits and can be found in your DNS zone using Zonesigner.

Enter the specific algorithm required to encrypt the public key. You can find the corresponding algorithm in your DNS zone.

Supported algorithms

The following algorithms are supported:

  • 3 DSA/SHA1
  • 5 RSA/SHA-1
  • 6 DSA-NSEC3-SHA1
  • 8 RSA/SHA-256
  • 10 RSA/SHA-512
  • 12 GOST R 34.10-2001
  • 13 ECDSA Curve P-256 with SHA-256
  • 14 ECDSA Curve P-384 with SHA-384

You can find more information about currently available algorithms and the status of future ones on the website of

You can choose between a Key Signing Key (KSK, 257) and a Zone Signing Key (ZSK, 256). The Key Signing Key is the most used flag.

Public Key:
The digital signature of the records in your DNS zone is checked by the public key. You can find the public key near the corresponding DNSSEC records in your DNS zone.

When you've configured your DNSSEC settings, click 'Save'.

The Key Tag can be found in the DS record. The Algorithm, Flag, and Public key can be found in the DNSKEY record.


This handy tool can help you get the correct information.

In this article we explained how you can configure DNSSEC for your own custom nameservers inside your control panel.

If you have any questions regarding this article, please contact our support team. You can reach them using the 'Contact us' button below or via the 'Contact' button inside your control panel.

If you wish to discuss this article with other users, feel free to leave a comment below.


Has this article been helpful?

Create an account or log in to leave a rating.


Create an account or log in to be able to leave a comment.