Every answer
signed.
ECDSA P-256 by default, automatic KSK/ZSK rollover, NSEC3 with opt-out, chain-of-trust validation, and DS record auto-publish.
Pick your curve.
Or trust our default.
ECDSA P-256 offers the best balance of security, compact signatures, and signing performance. RSA 2048 is available for legacy compatibility. ED25519 for those on the cutting edge.
| Algorithm | ID | Key Bits | Sig Size | Sign Time | Default |
|---|---|---|---|---|---|
| ECDSAP256SHA256 | 13 | 256 | 64B | ~0.1ms | YES |
| ECDSAP384SHA384 | 14 | 384 | 96B | ~0.2ms | - |
| RSASHA256 | 8 | 2048 | 256B | ~0.8ms | - |
| ED25519 | 15 | 256 | 64B | ~0.05ms | - |
Keys rotate.
Trust persists.
Relays performs automatic KSK rollover using the double-signature method. ZSK rollover happens every 90 days. Both follow RFC 7583 timing to ensure zero validation failures during the transition.
Prove absence.
Hide presence.
NSEC3 provides authenticated denial of existence without exposing every name in your zone. Opt-out mode skips unsigned delegations, reducing zone size for large delegations.
Root to record.
Every link verified.
Relays continuously validates the full DNSSEC chain of trust from the root zone down to individual records. If any link breaks, you are alerted immediately.
No manual DS.
No broken chains.
When Relays is your registrar, DS records are published to the parent zone automatically on key creation and rollover. No copying hex strings between dashboards.