Use DNSSEC and registrars

This page describes how to activate and deactivate Domain Name System Security Extensions (DNSSEC) at your domain registrar.

For a conceptual overview of DNSSEC, see the DNSSEC overview.

Activate DNSSEC at your domain registrar

After enabling DNSSEC for your zone, you must activate DNSSEC at your registrar. To activate DNSSEC, you create a DS record for your domain in the parent zone so that resolvers know that your domain is DNSSEC-enabled and can validate its data. Each registrar has a different procedure to create this DS record; many registrars use a website form.

You can find domain registrar-specific instructions for many different registrars in the Google Cloud Community Tutorial Activate DNSSEC for Cloud DNS domains.

Be sure to test your DNS configuration thoroughly before activating DNSSEC on important domains. After you have activated DNSSEC, it may take 24 hours or more to deactivate if necessary due to propagation delays and resolver caching.

Get DS records

To get DS records for your zone, follow these steps:

Console

  1. In the Google Cloud console, go to the Create a DNS zone page.

    Go to Create a DNS zone

  2. Click the zone for which you want the DS records.

  3. Click Registrar setup.

  4. Copy the DS records from the dialog. The DS records are similar to the following:

    18311 8 2 1A347FBF4EDA76375760AEB183E3B0081C9D8BE63384637D46ED5F6C010F961B
    

gcloud

Use the gcloud dns dns-keys list command.

gcloud dns dns-keys list \
--filter='type=keySigning' --format='value(ds_record())' \
--zone=MANAGED_ZONE_NAME

Replace the following:

  • MANAGED_ZONE: the name of the managed zone

Your output is similar to the following:

18311 8 2 1A347FBF4EDA76375760AEB183E3B0081C9D8BE63384637D46ED5F6C010F961B

Deactivate DNSSEC at your domain registrar

Before you disable DNSSEC for a managed zone that you still want to use, you must deactivate DNSSEC for your zone at your domain registrar to ensure that DNSSEC-validating resolvers can still resolve names in the zone.

To deactivate DNSSEC, you remove all DS records for your domain from the parent zone so that resolvers no longer try to use DNSSEC to validate your domain data. Each registrar has a different procedure for removing these DS records; many registrars use a website form.

You can find domain registrar-specific instructions for many different registrars in the Google Cloud Community Tutorial Activate DNSSEC for Cloud DNS domains.

After the DS records are removed from the registrar, you must wait for the removal of the DS record to propagate to all resolvers before turning off DNSSEC for the zone. This may take 24 hours or longer depending on propagation latency incurred by the registrar or registry and resolver caching.

Once DS records are no longer visible to any resolvers, you can safely turn off DNSSEC for the zone.

What's next