Should I enable DNSSEC for all domains or just for the main?

Hi. My box manages DNS for the main domain, as recommended.
But DNS records for the additional domains must be kept in the original provider.


  • Should I configure ALL the records listed in the External DNS configuration page? Not just MX. I mean _caldavs, _dmarc,, SSHFP, TLSA, etc, and also enable DNSSEC?

  • Or those “recommended and optional” records are just needed for the main domain?

For example, it seems to me that TLSA or SSHFP are somehow intended for the global protection of the box and the global MX service, isn’t it?


Self answer: In the External DNS configuration page (where the main domain dns configuration is listed…) ¡you can scroll! all the way down and find the appropriate configurations for the additional domains.

Everything is nicely listed.

This kind of detail and perfection is not usual in open source projects :slight_smile: and my first thought was “yeah, here is the catch”, instead of scrolling the page. My bad.

And for the main question: it seems that DNSSEC is also recommended for the additional domains, but many of the special DNS records are just needed for the main domain. Configuration for the others is much lighter.


1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.