Enable DNSSEC for a domain in My.GARMTECH

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS zones. It helps protect users from forged DNS responses (DNS spoofing). When enabled correctly, resolvers can verify that DNS records are authentic.

Before you enable DNSSEC

• Make sure your domain is using the DNS provider where you will sign the zone. If your domain uses GARMTECH DNS (nameservers ns1.garmtech.com, ns2.garmtech.com, ns3.garmtech.com), DNSSEC can be enabled from My.GARMTECH (if supported for your TLD).
• If you use external nameservers (Cloudflare, another provider), you normally enable DNSSEC at that provider and then add the DS record at the registrar.

Warning: An incorrect DNSSEC setup can make the domain stop resolving. Only enable DNSSEC if you understand where the DNS zone is hosted and you can access its DNSSEC settings.

Enable DNSSEC in My.GARMTECH

1. Log in to My.GARMTECH.
2. Go to Domains → My Domains and open the domain.
3. Find DNSSEC / DNSSEC Management.
4. Enable DNSSEC and save the changes.

Depending on the domain extension, My.GARMTECH may automatically publish the required DS record, or it may show DS parameters (Key Tag, Algorithm, Digest Type, Digest) that are submitted to the registry.

How to verify DNSSEC

• Use any DNSSEC analyzer to confirm that your domain has valid DNSSEC.
• For advanced checks you can use dig from a Linux/macOS terminal:
  • dig +short DNSKEY example.com (should return DNSKEY records)
  • dig +dnssec example.com A (look for the ad flag in the response on a validating resolver)

When to disable DNSSEC

If you change nameservers/DNS provider, you may need to update (or remove) the DS record. Disable DNSSEC if you are not maintaining signed DNS on the new provider.