Article overview

Help article

How can I secure domains that use custom nameservers with DNSSEC ?

If you wish to secure your domain name with DNSSEC and you're using your own custom nameservers, you can configure DNSSEC inside your control panel.

If you're using the TransIP nameservers, DNSSEC will automatically be enabled. Use this article if you want to manually configure DNSSEC in your control panel.

Domain extensions that support DNSSEC

DNSSEC can be configured for nearly every domain extension. Take a look at our wide assortment of domain names and search for a domain extension. Next, click on 'More information' to see if the domain extension supports DNSSEC.

Configuring DNSSEC in your control panel

Visit the control panel and head to the tab 'Domains & Hosting' at the top of the page. Next, select your domain name on the left hand side (don't check the box).

At the top of the page you will see your domain name and the button 'Manage' next to it. Click on this button and select 'DNSSEC settings'.

dnssec settings

Take note: You will only be able to configure the DNSSEC settings when using your own custom nameservers. If you're using the TransIP nameservers, DNSSEC will automatically be used for your domain name and the 'DNSSEC settings' button will not be visible.

We recommend using a zone-signer script in order to complete your DNSSEC settings, such as ‘Zonesigner’. Please note that you will need both Bind and Perl to use Zonesigner.

If you are name servers from another service such as CloudFlare, the Key Tag, algorithm and KSK (Key Signing Key) will be provided by them.

After clicking on 'DNSSEC settings' you will find yourself on the following page.

dnssec settings

Below you can find an explanation of the different DNSSEC settings.

Key Tag:
The required Key Tag consists of 5 digits and can be found in your DNS zone using Zonesigner.

Enter the specific algorithm required to encrypt the public key. You can find the corresponding algorithm in your DNS zone.

Supported algorithms

The following algorithms are supported:

  • 3 DSA/SHA1
  • 5 RSA/SHA-1
  • 6 DSA-NSEC3-SHA1
  • 8 RSA/SHA-256
  • 10 RSA/SHA-512
  • 12 GOST R 34.10-2001
  • 13 ECDSA Curve P-256 with SHA-256
  • 14 ECDSA Curve P-384 with SHA-384

You can choose between a Key Signing Key (KSK, 257) and a Zone Signing Key (ZSK, 256). The Key Signing Key is the most used flag.

Public Key:
The digital signature of the records in your DNS zone is checked by the public key. You can find the public key near the corresponding DNSSEC records in your DNS zone.

When you've configured your DNSSEC settings, click on 'Save'.

Take note that some domain extensions might not support some of the relatively new security algorithms such as 13 and 14. You can find more information about currently available algorithms and the status of future ones on the website of

In this article we explained how you can configure DNSSEC for your own custom nameservers inside your control panel.

If you have any questions regarding this article, please contact our support team. You can reach them using the 'Contact us' button below or via the 'Contact' button inside your control panel.

If you wish to discuss this article with other users, feel free to leave a comment below.


Do you have a good idea?

Give us your idea! If it's popular we'll add it to the wishlist!

Has this article been helpful?

Create an account or log in to leave a rating.


Create an account or log in to be able to leave a comment.

Are you stuck?

Ask one of our specialists to assist you

Contact us