In this article, you will learn:
- What DNSSEC is
- How to set up DNSSEC on a domain
- How to set up DNSSEC in bulk
- Common issues
- Frequently asked questions
DNSSEC
DNSSEC is a domain security method against DNS spoofing attempts. Using security keys, it ensures that information obtained from DNS is complete, provided by the correct source, and has not been tampered with by any third party during transmission.
You can set up DNSSEC on all domains that support this method:
- all CZ and EU domains we register;
- all SK and gTLD domains (including nTLDs) that we register, but do not use our DNS servers.
PL domains currently do not support DNSSEC.
DNSSEC setup on a domain
DNSSEC security setup usually takes up to 6 hours.
You can set up DNSSEC under the following conditions:
- CZ and EU domains must be registered with us and may or may not use our DNS servers.
- SK and generic domains (COM, NET, WEBSITE, …) must be registered with us, but must not use our DNS.
To access DNSSEC settings, follow these steps:
- Log in to the customer administration ⧉.
- In the top menu, select Domains.
- In the overview, select the domain for which you want to set up DNSSEC.
- In the left menu, select DNSSEC settings.

Next, continue according to the instructions for your domain extension:
Activating DNSSEC for CZ and EU domains
For CZ and EU domains, DNSSEC is automatically set up by default. If you want to disable automatic setup, uncheck the option Allow future automatic DNSSEC WEDOS setup/cancellation. in the Customer options section.
For CZ and EU domains, we offer a complete DNSSEC solution. In this case, both the domain and the DNS servers (NSSET) must be managed by WEDOS.
In the DNSSEC settings interface, check the option use WEDOS DNSSEC and click the Set DNSSEC button.
For these domains, in the box of the same name, you can also set future automatic DNSSEC WEDOS setup/cancellation in case the system detects problems with DNSSEC.
If you do not use WEDOS DNS servers (NSSET), you can use an existing custom KEYSET, or create and use your own KEYSET. DNS records are signed on the DNS servers by the DNS service provider or the domain administrator (customer).
Activating DNSSEC for SK and generic domains
For SK, gTLD, and nTLD domains, we offer the option to activate DNSSEC, but the DNS servers must be set up with another provider. From that provider (if they support DNSSEC), also obtain Digest or Public key type keys. DNS records are signed on the DNS servers by the DNS service provider or the domain administrator (customer).
In the DNSSEC settings interface, proceed as follows:
- Check the option use custom DNSSEC keys.
- In the Custom DNSSEC keys table, select the key type and enter the corresponding values.
- Save the settings by clicking the Set DNSSEC button.

Disabling DNSSEC
In the DNSSEC settings interface, check the option do not use DNSSEC and click the Set DNSSEC button.
Bulk DNSSEC setup
At present, only CZ and EU domains registered with us support bulk DNSSEC setup. We recommend using our DNS servers.
Perform bulk DNSSEC setup as follows:
- Log in to the customer administration ⧉.
- In the top menu, select Domains.
- In the overview, check the CZ and EU domains for which you want to set up DNSSEC in bulk.
- At the bottom of the table, select DNSSEC settings.
- Click the Proceed button.

In the following wizard, enter the required settings and confirm them with the Finish button.
Common issues
Common DNSSEC issues include:
SK or gTLD with WEDOS DNS
Problem: The error message ERROR: DNSSEC for this domain is enabled only when using external DNS servers. None of our DNS servers may be used for the domain. is displayed.

Cause: You can set up DNSSEC on SK and generic domains (COM, NET, ONLINE, …) only if you do not use our DNS servers.
Solution: Change the DNS servers to another provider that supports DNSSEC.
Frequently asked questions
Can I use my own KEYSET for CZ and EU domains?
Yes, but you must not use our DNS servers.
Why do I have to use external DNS servers for generic domains?
For gTLD domains, it is not possible for us to sufficiently automate the DNSSEC setup process for technical reasons. The CZ and EU domain registries support KEYSET-type objects, which allow us to perform DNSSEC key rotation in the upper zone in bulk for all affected domains with a single command. For other registries, we would have to change the keys individually for each domain, and in some cases this may not even be possible due to possible domain restrictions on the part of the registry. A failed key rotation could then cause the domain to become unavailable due to a disrupted DNSSEC key chain.
How do I disable DNSSEC?
In the DNSSEC settings interface, check the option do not use DNSSEC and confirm. As with all DNSSEC settings, this will take effect after several hours.
How does DNSSEC cancellation work?
The system sends the command to remove DNSSEC keys from the parent zone to the registry immediately. If the domain uses our DNS servers, after sending the command you wait for the DNSSEC key TTL to expire in the parent zone. After the TTL expires, the system removes the zone signature on our DNS servers and thus completes the request to cancel DNSSEC for the domain. While the DNSSEC cancellation request is being processed, you cannot change the DNSSEC settings for the domain in any way.