DNSSEC and registrars

Activating DNSSEC at your domain registrar

After enabling DNSSEC for your zone, you must activate DNSSEC at your registrar. You do this by creating a DS record for your domain in the parent zone, so that resolvers know your domain is DNSSEC-enabled and can validate its data.

Each registrar has a different procedure to create this DS record; many registrars use a website form.

You can find more details (and domain registrar-specific instructions for many different registrars) in a Google Cloud Community Tutorial.

Deactivating DNSSEC at your Domain Registrar

Before you disable DNSSEC for a managed zone that you still want to use, you must deactivate DNSSEC for your zone at your domain registrar to ensure that DNSSEC-validating resolvers can still resolve names in the zone.

You do this by removing all DS records for your domain from the parent zone, so that resolvers no longer try to validate your domain data with DNSSEC. Each registrar has a different procedure for removing these DS records; many registrars use a website form.

You can find more details (and domain registrar-specific instructions for many different registrars) in a Google Cloud Community Tutorial.

Once the DS records are removed, you can safely turn off DNSSEC for the zone.

Next steps

Was this page helpful? Let us know how we did:

Send feedback about...