Using DNSSEC and registrars

This page describes how to activate and deactivate Domain Name System Security Extensions (DNSSEC) at your domain registrar.

For a conceptual overview of DNSSEC, see the DNSSEC overview.

Activating DNSSEC at your domain registrar

After enabling DNSSEC for your zone, you must activate DNSSEC at your registrar. To activate DNSSEC, you create a DS record for your domain in the parent zone so that resolvers know that your domain is DNSSEC-enabled and can validate its data. Each registrar has a different procedure to create this DS record; many registrars use a website form.

You can find domain registrar-specific instructions for many different registrars in the Google Cloud Community Tutorial Activating DNSSEC for Cloud DNS domains.

Deactivating DNSSEC at your domain registrar

Before you disable DNSSEC for a managed zone that you still want to use, you must deactivate DNSSEC for your zone at your domain registrar to ensure that DNSSEC-validating resolvers can still resolve names in the zone.

To deactivate DNSSEC, you remove all DS records for your domain from the parent zone so that resolvers no longer try to use DNSSEC to validate your domain data. Each registrar has a different procedure for removing these DS records; many registrars use a website form.

You can find domain registrar-specific instructions for many different registrars in the Google Cloud Community Tutorial Activating DNSSEC for Cloud DNS domains.

After the DS records are removed, you can safely turn off DNSSEC for the zone.

What's next