🔐 DNSSEC Setup

This page explains how to enable and configure DNSSEC (Domain Name System Security Extensions) for the LCHS Red Cross Club domain (lchsredcross.org) using Porkbun (registrar) and Cloudflare (DNS host).

---

📘 What is DNSSEC?

DNSSEC adds a layer of cryptographic security to DNS, preventing attackers from tampering with or hijacking your domain's DNS records. It ensures that visitors always reach the correct version of your site.

---

✅ Steps to Enable DNSSEC

1. Enable DNSSEC in Cloudflare

1. Log into Cloudflare.

2. Select the domain lchsredcross.org.

3. Go to the DNS tab.

4. Scroll down to DNSSEC and click Enable DNSSEC.

5. Cloudflare will generate a DS Record containing these values:

   • Key Tag

   • Algorithm (usually 13)

   • Digest Type (usually 2 / SHA256)

   • Digest (a long hex string)

2. Add DS Record in Porkbun

1. Log into Porkbun with the club Gmail account.

2. Go to Domain Management → find lchsredcross.org.

3. Click Details ▼ → then DNSSEC.

4. In the dsData section, copy the values from Cloudflare:

   • Key Tag → Paste Cloudflare Key Tag

   • DS Data Algorithm → Paste Cloudflare Algorithm

   • Digest Type → Paste Cloudflare Digest Type

   • Digest → Paste Cloudflare Digest

5. Leave Max Sig Life blank.

6. Leave the keyData section (Flags, Protocol, Public Key, Key Data Algorithm) empty.

7. Click Create to save the DS record.

---

📝 Notes

• Porkbun may take several minutes to hours to publish the DS record.

• Cloudflare will show DNSSEC as "Enabled" once propagation is complete.

• Do not fill both dsData and keyData — only dsData is needed for Cloudflare.

• If DNSSEC is misconfigured, your site may become unreachable. Always double-check values.

---

🔄 Verification Checklist

• Cloudflare shows DNSSEC: Enabled
• Porkbun DNSSEC page has the DS record saved
• https://dnsviz.net/ shows a secure chain of trust for lchsredcross.org

---

✅ Once complete, your domain is cryptographically protected from DNS hijacking.