Managing DNSSEC configuration

This page describes how to enable and disable Domain Name System Security Extensions (DNSSEC), verify DNSSEC deployment, and migrate zones to and from Cloud DNS.

For a conceptual overview of DNSSEC, see the DNSSEC overview.

Enabling DNSSEC for existing managed zones

To enable DNSSEC for existing managed zones, see the following steps.

Console

  1. In the Google Cloud Console, go to the Cloud DNS page.

    Go to Cloud DNS

  2. Click the DNSSEC setting for the zone, and under DNSSEC, select On.

    Enable DNSSEC zone menu

  3. In the confirmation dialog, click Enable.

    Enable DNSSEC confirmation dialog

gcloud

Run the following command:

gcloud dns managed-zones update EXAMPLE_ZONE --dnssec-state on

Replace EXAMPLE_ZONE with the zone ID.

Python

Run the following:

def enable_dnssec(project_id, name, description=None):
client = dns.Client(project=project_id)
zone = client.zone(name=name)
zone.update(dnssec='on', description=description)

Enabling DNSSEC when creating zones

To enable DNSSEC when you are creating a zone, see the following steps.

Console

  1. In the Google Cloud Console, go to the Cloud DNS page.

    Go to Cloud DNS

  2. Click Create zone.

  3. In the Zone name field, enter a name.

  4. In the DNS name field, enter a name.

  5. Under DNSSEC, select On.

  6. Optional: Add a description.

  7. Click Create.

    Create DNSSEC signed zone

gcloud

Run the following command:

gcloud dns managed-zones create EXAMPLE_ZONE \
    --description "Signed Zone" --dns-name myzone.example.com --dnssec-state on

Replace EXAMPLE_ZONE with the zone ID.

Python

Run the following:

def create_signed_zone(project_id, name, dns_name, description):
client = dns.Client(project=project_id)
zone = client.zone(
    name,  # examplezonename
    dns_name=dns_name,  # example.com.
    description=description,
    dnssec='on')
zone.create()
return zone

Verifying DNSSEC deployment

To verify correct deployment of your DNSSEC-enabled zone, make sure that you placed the correct DS record in the parent zone. DNSSEC resolution can fail if either of the following occurs:

  • The configuration is wrong, or you have mistyped it.
  • You have placed the incorrect DS record in the parent zone.

To verify that you have the right configuration in place and to cross-check the DS record before placing it in the parent zone, use the following tools:

You can use the Verisign DNSSEC debugger and Zonemaster sites to validate your DNSSEC configuration before you update your registrar with your Cloud DNS name servers or DS record. A domain that is properly configured for DNSSEC is example.com, viewable using DNSViz.

Recommended TTL settings for DNSSEC-signed zones

TTL is the time to live (in seconds) for a DNSSEC-signed zone.

Unlike TTL expirations, which are relative to the time a name server sends a response to a query, DNSSEC signatures expire at a fixed absolute time. TTLs configured longer than a signature lifetime can lead to many clients requesting records at the same time as the DNSSEC signature expires. Short TTLs can also cause problems for DNSSEC-validating resolvers.

For more recommendations about TTL selection, see RFC 6781 section 4.4.1 Time Considerations and RFC 6781 Figure 11.

When reading RFC 6781 section 4.4.1, consider that many signature time parameters are fixed by Cloud DNS and you cannot change them. Currently, you cannot change the following (subject to change without notice or update to this document):

  • Inception offset = 1 day
  • Validity period = 21 days
  • Re-sign period = 3 days
  • Refresh period = 18 days
  • Jitter interval = ½ day (or ±6 hours)
  • Minimum signature validity = refresh – jitter = 17.75 days = 1533600

You must never use a TTL longer than the minimum signature validity.

Disabling DNSSEC for managed zones

After you have removed DS records and waited for them to expire from cache, you can use the following gcloud command to turn off DNSSEC:

gcloud dns managed-zones update EXAMPLE_ZONE --dnssec-state=off

Replace EXAMPLE_ZONE with the zone ID.

DNSSEC, domain transfers, and zone migration

For DNSSEC-enabled zones where DNSSEC has been activated at the domain registry, see the steps in the following sections to ensure proper operation of the domain:

  • When it is transferred to another registrar (or ownership is transferred).

  • When migrating the DNS zone between Cloud DNS and another DNS operator.

The technical approach that Cloud DNS uses for these migrations is the KSK Double-DS rollover variant described in RFC 6781 section 4.1.2 Key Signing Key Rollovers.

For an informative presentation about DNSSEC and domain transfers and potential pitfalls, see DNS/DNSSEC and Domain Transfers: Are they compatible?.

Migrating DNSSEC-signed zones to Cloud DNS

If you are migrating a DNSSEC-signed zone to Cloud DNS, make sure that Cloud DNS supports the same KSK algorithm already in use. If not, deactivate DNSSEC at your domain registrar before you migrate the zone, and update the name server records at the registrar to use the Cloud DNS name servers.

If the existing KSK and ZSK algorithms are supported in Cloud DNS, you can follow these steps to perform the migration with DNSSEC enabled:

  1. Create a new DNSSEC-signed zone in DNSSEC Transfer state. Transfer state lets you manually copy DNSKEYs into the zone.

  2. Export your zone files, and then import them into the new zone.

  3. Add the DNSKEYs (both KSK and ZSK) from the old zone's zone files.

    You can also use the dig command to query the other name servers for DNSKEY records.

  4. Add the DS record for the new zone to your registrar.

  5. Update the name server records at the registrar to the Cloud DNS name servers for the new zone.

Leaving DNSSEC transfer state

Before leaving the DNSSEC transfer state, wait until the name server references (NS and DS) to Cloud DNS have propagated to all authoritative registry name servers. Also ensure that the TTL has expired for all old name server DNSSEC resource records (not only the registry parent zone NS and DS records, but also DNSKEY, NSEC/NSEC3, and RRSIG records from the old zone). Make sure that you remove the manually added transfer DNSKEY records.

You can then change the DNSSEC state of the zone from Transfer to On. Making this change enables automatic ZSK rotation from the zone. Generally, your zones can safely leave DNSSEC transfer state after a week, and should not remain in DNSSEC transfer state for more than a month or two.

You must also remove the DS record for the old DNS operator's zone from your registrar.

Migrating DNSSEC-signed zones from Cloud DNS

Before you migrate a DNSSEC-signed zone to another DNS operator, make sure that the zone and operator support the same KSK algorithm that you are using. If not, deactivate DNSSEC at your domain registrar before you migrate the zone, and update the name server records at the registrar to use the new name servers.

If they support the same KSK (and preferably the same ZSK) algorithms and provide a way to copy existing DNSKEYs to the new zone, you can perform the migration keeping DNSSEC enabled by following these steps:

  1. Change the DNSSEC state from On to Transfer. This stops ZSK rotation.

  2. Export your zone file (including DNSKEYs) and import it into the new zone.

  3. If the DNSKEYs (both KSK and ZSK) import did not go through, add them manually.

    Use the dig command to query the Cloud DNS name servers for your zone for DNSKEY records:

    dig DNSKEY myzone.example.com. @ns-cloud-e1.googledomains.com.
    
  4. Enable DNSSEC-signing for the new zone, and add a DS record for the new KSK at the registrar.

    If your registrar cannot support multiple DS records, complete this task in step 6.

  5. Optional: Import the new DNSKEYs for the new zone into Cloud DNS.

    You can use a dig command similar to the one in step 3 for this, but skip the DNSKEYs that you exported from Cloud DNS.

  6. To use the new DNS operator, update the name server records at the registrar.

    If you can only replace DS records at your registrar, do this now.

If the other DNS operator has a process for migrating a DNSSEC-signed zone (such as Dyn), you must perform their steps in parallel with this procedure, after step 1.

After you have completed all the necessary steps on the other DNS operator, do the following:

  1. Update the DNSSEC state to Off, or delete the zone in Cloud DNS to disable DNSSEC.

  2. Remove the DS record for the Cloud DNS zone from your registrar.

What's next