Setting Up DNSSEC security

Domain Name System Security Extensions (DNSSEC) help protect your domain from domain name server (DNS) threats, like cache poison attacks and DNS spoofing.

How to change your DNSSEC setting

How you turn on DNSSEC depends on how you’ve set up your name servers. Choose the implementation option that matches your setup below.

We strongly recommend you do not change your name servers while DNSSEC is enabled. If you do, your domain may not resolve.

Google Domains name servers

If you’re using Google Domains name servers, you can turn on DNSSEC with one click. Follow these instructions:

  1. Sign in to Google Domains.
  2. Select the name of your domain.
  3. Open the menu Menu
  4. Click DNS.
  5. Scroll to "DNSSEC".
  6. Click Enable DNSSEC or Disable DNSSEC to change the domain’s setting.

When you turn on DNSSEC, it takes roughly 2 hours for DNSSEC to activate completely. When you turn it off, there’s a delay of up to 2 days before deactivation.

Custom name servers

If you have custom name servers, you may need a third-party DNS provider to configure DNSSEC for your domain. Additionally, you must activate DNSSEC on Google Domains. Follow the instructions below:
  1. Identify the one or more DNSKEY records your DNS provider created for your domain.
  2. Obtain the following values from your DNS provider:
    • Key tag: Numeric value that refers to an existing DNSKEY record.
    • Algorithm: Encryption algorithm that created the security key in the DNSKEY record. Usually paired with a hash function, as in RSA/SHA1.
    • Digest type: Algorithm used to create the digest of DNSKEY record. Also called “digest algorithm,” “digest hash,” or “digest hash function."
    • Digest: Hashed value of the DNSKEY record that uniquely identifies it without exposing the value of the key. Depending on the digest type, the length is:
      1. SHA1 - 40 hexadecimal digits
      2. SHA256 - 64 hexadecimal digits
      3. SHA384 - 96 hexadecimal digits
  3. For each DNSKEY record, create at least one delegation of signing (DS) resource record. Follow these steps:
    1. Sign in to Google Domains.
    2. Select the name of your domain.
    3. Open the menu Menu.
    4. Click DNS.
    5. Scroll to "DNSSEC".
    6. Create an entry using the values from previous steps. 
Was this helpful?
How can we improve it?