The Domain Name System Security Extensions (DNSSEC) is a feature of the Domain Name System (DNS) that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but prevents attackers from manipulating or poisoning the responses to DNS requests.
There are three places where you must enable and configure DNSSEC for it to protect domains from spoofing and poisoning attacks:
The DNS zone for your domain must serve special DNSSEC records for public keys (DNSKEY), signatures (RRSIG), and non-existence (NSEC, or NSEC3 and NSEC3PARAM) to authenticate your zone's contents. Cloud DNS manages this automatically if you enable DNSSEC for a zone.
The top-level domain (TLD) registry (for
example.com, this would be
.com) must have a DS record that authenticates a DNSKEY record in your zone. Do this by activating DNSSEC at your domain registrar.
For full DNSSEC protection, you must use a DNS resolver that validates signatures for DNSSEC-signed domains. You can enable validation for individual systems or your local caching resolvers if you administer your network's DNS services.
For more information about DNSSEC validation, see the following resources:
- Do you have DNSSEC validation enabled?
- Deploying DNSSEC with BIND and Ubuntu Server (Part 1)
- DNSSEC Guide: Chapter 3. Validation
The second point limits the domain names where DNSSEC can work. Both the registrar and registry must support DNSSEC for the TLD that you are using. If you cannot add a DS record through your domain registrar to activate DNSSEC, enabling DNSSEC in Cloud DNS has no effect.
Before enabling DNSSEC, check the following resources:
- The DNSSEC documentation for both your domain registrar and TLD registry
- The Google Cloud community tutorial's domain registrar-specific instructions
- The ICANN list of domain registrar DNSSEC support to confirm DNSSEC support for your domain.
If the TLD registry supports DNSSEC, but your registrar does not (or does not support it for that TLD), you might be able to transfer your domains to a different registrar that does. After you have completed that process, you can activate DNSSEC for the domain.
For step-by-step instructions for managing DNSSEC, see the following resources:
To ensure proper operation of a domain, see DNSSEC, domain transfers, and zone migration.
To migrate a DNSSEC-signed zone to Cloud DNS, see Migrating DNSSEC-signed zones to Cloud DNS.
To change the DNSSEC state of the zone from
On, see Leaving DNSSEC transfer state.
To migrate a DNSSEC-signed zone to another DNS operator, see Migrating DNSSEC-signed zones from Cloud DNS.
To enable DNSSEC for delegated subdomains, see Delegating DNSSEC-signed subdomains.
Record set types enhanced by DNSSEC
For more information about record set types and other record types, see the following resources:
To control which public certificate authorities (CAs) can generate TLS or other certificates for your domain, see CAA records.
To enable opportunistic encryption through IPsec tunnels, see IPSECKEY records.
Using new DNS record types with DNSSEC-secured zones
For more information about DNS record types and other record types, see the following resource:
- To enable SSH client applications to validate SSH servers, see SSHFP records.
- To view DNSSEC key records, see Viewing DNSSEC keys.
- To create, update, list, and delete managed zones, see Managing zones.
- To find solutions for common issues that you might encounter when using Cloud DNS, see Troubleshooting.
- To get an overview of Cloud DNS, see Cloud DNS overview.