This page describes how to activate and deactivate Domain Name System Security Extensions (DNSSEC) at your domain registrar.
For a conceptual overview of DNSSEC, see the DNSSEC overview.
Activate DNSSEC at your domain registrar
After enabling DNSSEC for your zone, you must activate DNSSEC at your registrar. To activate DNSSEC, you create a DS record for your domain in the parent zone so that resolvers know that your domain is DNSSEC-enabled and can validate its data. Each registrar has a different procedure to create this DS record; many registrars use a website form.
You can find domain registrar-specific instructions for many different registrars in the Google Cloud Community Tutorial Activate DNSSEC for Cloud DNS domains.
Be sure to test your DNS configuration thoroughly before activating DNSSEC on important domains. After you have activated DNSSEC, it may take 24 hours or more to deactivate if necessary due to propagation delays and resolver caching.
Get DS records
To get DS records for your zone, follow these steps:
Console
In the Google Cloud console, go to the Create a DNS zone page.
Click the zone for which you want the DS records.
Click Registrar setup.
Copy the DS records from the dialog. The DS records are similar to the following:
18311 8 2 1A347FBF4EDA76375760AEB183E3B0081C9D8BE63384637D46ED5F6C010F961B
gcloud
Use the gcloud dns dns-keys list
command.
gcloud dns dns-keys list \ --filter='type=keySigning' --format='value(ds_record())' \ --zone=MANAGED_ZONE_NAME
Replace the following:
MANAGED_ZONE
: the name of the managed zone
Your output is similar to the following:
18311 8 2 1A347FBF4EDA76375760AEB183E3B0081C9D8BE63384637D46ED5F6C010F961B
Deactivate DNSSEC at your domain registrar
Before you disable DNSSEC for a managed zone that you still want to use, you must deactivate DNSSEC for your zone at your domain registrar to ensure that DNSSEC-validating resolvers can still resolve names in the zone.
To deactivate DNSSEC, you remove all DS records for your domain from the parent zone so that resolvers no longer try to use DNSSEC to validate your domain data. Each registrar has a different procedure for removing these DS records; many registrars use a website form.
You can find domain registrar-specific instructions for many different registrars in the Google Cloud Community Tutorial Activate DNSSEC for Cloud DNS domains.
After the DS records are removed from the registrar, you must wait for the removal of the DS record to propagate to all resolvers before turning off DNSSEC for the zone. This may take 24 hours or longer depending on propagation latency incurred by the registrar or registry and resolver caching.
Once DS records are no longer visible to any resolvers, you can safely turn off DNSSEC for the zone.
What's next
- To get information about specific DNSSEC configurations, see Use advanced DNSSEC.
- To find solutions for common issues that you might encounter when using Cloud DNS, see Troubleshooting.
- To get an overview of Cloud DNS, see Cloud DNS overview.