DNSSEC

DNSSEC adds cryptographic signatures to your DNS zone so resolvers can detect tampering and forged answers. It does not encrypt traffic; it protects the authenticity of DNS data.

In Expanse Panel

1. Open your zone from Networking.
2. Open the DNSSEC tab.
3. Turn DNSSEC on or off with the control shown (wording may be Enable / Disable).

When DNSSEC is enabled, the panel shows keys and DS records you must publish at your registrar (the company where the domain is registered) to complete the “chain of trust.”

DS records at the registrar

After enabling DNSSEC:

1. Copy each DS record the panel displays (algorithm, digest type, and digest are set by the DNS software).
2. Log in to your registrar (for domains registered through Expanse, use the registrar or domain management screens they provide; for external domains, use the registrar where you bought the name).
3. Add the DS record(s) in the registrar’s DNSSEC or DS management section.

The panel states that without DS records at the registrar, validation can fail and some users may not resolve your domain correctly.

If keys do not appear yet

Use Refresh in the DNSSEC section if keys or DS data are slow to appear. If the message says keys are not returned yet, wait briefly and refresh again; contact support if the records still do not appear.

Registrant verification

For domains registered or transferred through Expanse, the panel may require a verified registrant contact before allowing DNSSEC changes—complete Verify under Registrant contacts if you see that message.

Disabling DNSSEC

Turn DNSSEC off in the panel when you intend to stop signing the zone, and remove the DS records at the registrar afterward so resolvers do not expect signatures that no longer exist.