DNSSEC at Vintony
What we sign by default, what you need to do, and how to verify.
3 min read
DNSSEC is enabled by default on every Vintony-registered domain whose TLD supports it. We generate the keys, publish them, and hand the DS record to the registry on your behalf.
You don't need to do anything for the default case. The 'DNSSEC' indicator in your dashboard turns green within a few hours of registration; verify externally with `dig DS yourdomain.com +short` against any resolver.
If you bring your own DNS (e.g. Cloudflare, Route 53), you'll need to coordinate the DS record manually. We'll show you the DS values; you give them to your DNS provider's DNSSEC setup flow.
Key rotation happens automatically every 90 days for the ZSK and every 365 days for the KSK. Rotation is invisible to clients — overlapping signatures ensure no validation failures during the cutover window.