DNS Security (DNSSEC)

DNSSEC is a feature of the Domain Name System that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but prevents attackers from manipulating or poisoning the responses to DNS requests.

There are three places where DNSSEC needs to be enabled and configured for it to protect domains from spoofing and poisoning attacks:

  1. The DNS zone for your domain must serve special DNSSEC records for public keys (DNSKEY), signatures (RRSIG), and non-existence (NSEC, or NSEC3 and NSEC3PARAM) to authenticate your zone's contents. Cloud DNS manages this automatically if you enable DNSSEC for a zone.

  2. The top-level domain registry (for example.com, this would be .COM) must have a DS record that authenticates a DNSKEY record in your zone. Do this by activating DNSSEC at your domain registrar.

  3. For full DNSSEC protection, clients must use a DNS resolver that validates signatures for DNSSEC-signed domains. You can enable validation for individual systems or the local DNS resolvers (Refer to the appendices in this PDF guide). You can also configure systems to use public resolvers that validate DNSSEC, notably Google Public DNS and Verisign Public DNS.

The second point limits the domain names where DNSSEC can work. Both registrar and registry must support DNSSEC for the top-level domain that you are using. If you cannot add a DS record through your domain registrar to activate DNSSEC, enabling DNSSEC in Cloud DNS has no effect.

Before enabling DNSSEC, check the DNSSEC documentation for both your domain registrar and top-level domain registry, the Google Cloud community tutorial's domain registrar-specific instructions, and the ICANN list of domain registrar DNSSEC support to confirm DNSSEC support for your domain. If the top-level domain registry supports DNSSEC, but your registrar does not (or doesn't support it for that top-level domain), you may be able to transfer your domains to a different registrar that does. After you have completed that process, you can activate DNSSEC for the domain.

Management operations

Go to Managing DNSSEC (under "See also") for instructions on each of these tasks or click through the links below:

DNSSEC, domain transfers, and zone migration

Migrating DNSSEC-signed zones to Google Cloud DNS

Leaving DNSSEC transfer state

Migrating DNSSEC-signed zones from Google Cloud DNS

Delegating DNSSEC-signed subdomains

Record set types enhanced by DNSSEC

Refer to Advanced DNSSEC for instructions on these and other record types or click through the links below:

CAA records

IPSECKEY records

Using new DNS record types with DNSSEC-secured zones

Go to Advanced DNSSEC for instructions on these and other record types or click through the links below:

SSHFP records

Next steps