Set up DNSSEC security

To prevent threats like cache poison attacks and NDS spoofing, Domain Name System Security Extensions (DNSSEC) authenticates exchanges of information.
Domain Name System (DNS) translates human-readable domain names like google.com into the machine-readable IP addresses for a given website like 172.217.3.206.
To use this additional security, you must set up DNSSEC for a domain name. To complete DNSSEC setup, you must:
  • Add DNSSEC-related resource records to your DNS or signing zone.
  • Publish DNS resource records for your domain.
After you do these steps, you must first wait for the changes to update across the internet. This can take up to 24 hours. If you use Google Domains automatic DNSSEC setup, we handle both steps for you, which includes the waiting periods.
Some Top-level Domains (TLDs) accept DNS Public Key (DNSKEY) records instead of Delegation Signer (DS) records. You can turn on DNSSEC for either Google name servers or custom name servers. Learn how to manage domain name servers.

Enable DNSSEC for your domain

How you enable DNSSEC for your domain depends on how you manage your name servers.
If you use Google Domains name servers
Tip: If you originally purchased your domain name from Google Domains, DNSSEC may already be set up for you.
  1. Sign in to Google Domains.
  2. Select the name of your domain.
  3. In the top left, select Menu "" and then DNS.
  4. If it’s not already selected, at the top of the page, select Google Domains (Active).
    • At the top of the page, if “Google Domains (Active)” is displayed beside “Custom,” you’re on Google Domains’ default name servers.
  5. Scroll to the "DNSSEC" card.
    • If DNSSEC is already turned on, “DNSSEC enabled” is displayed.
  6. Click Turn on.
When you turn on DNSSEC, Google Domains automatically signs your DNS zone and publishes your DS records within 2 hours. Once these update across the internet, your domain is protected by DNSSEC. This can take up to 24 hours.
If you want to bypass any waiting periods between steps, expand the “DNSSEC” card and use the buttons there. For example, if you don’t wish to wait for your DS records to be published, click Publish DS records now.
If you use custom name servers
If you use custom name servers, you need to work with your third-party DNS provider to sign the DNS zone for your domain. For each DNSKEY, get the following values from your DNS provider:
  • Key tag: Numeric value that refers to an existing DNSKEY record.
  • Algorithm: Encryption algorithm that creates the security key in the DNSKEY record. It’s usually paired with a hash function like RSA/SHA1.
  • Digest type: Algorithm used to create the digest of a DNSKEY record. It’s also called digest algorithm, digest hash, or digest hash function.
  • Digest: Hashed value of the DNSKEY record that uniquely identifies it and doesn't expose the value of the key. Based on the digest type, the length can be:
    • SHA1 - 40 hexadecimal digits
    • SHA256 - 64 hexadecimal digits
    • SHA384 - 96 hexadecimal digits
For each DNSKEY record, create at least one delegation of signing (DS) resource record in Google Domains:
  1. Sign in to Google Domains.
  2. Select the name of your domain.
  3. In the top left, select Menu "" and then DNS.
  4. If it’s not already selected, click Custom (Active) at the top of the page
    • At the top of the page, if “Google Domains (Active)” is displayed beside “Custom,” you’re on Google Domains’ default name servers.
  5. Scroll to the "DNSSEC” box.
  6. Select Manage DS records.
  7. Enter the information from your DNS provider. To add multiple records at the same time, click Create new record.
  8. When you’re done, click Save.

Deactivate DNSSEC for your domain

If you use Google Domains name servers
  1. Sign in to Google Domains.
  2. Select the name of your domain.
  3. In the top left, select Menu "" and then DNS.
  4. If it’s not already selected, click Google Domains (Active) at the top of the page.
    • At the top of the page, if “Google Domains (Active)” is displayed beside “Custom,” you’re on Google Domains’ default name servers.
  5. Scroll down to the “DNSSEC” box.
  6. Select Turn off.
When you turn off DNSSEC, Google Domains immediately unpublishes your domain’s DS records. Once that change updates across the internet, your domain is no longer DNSSEC protected. This can take up to 48 hours. After that, Google Domains may unsign your DNS zone to complete the DNSSEC deactivation.
If you use custom name servers
To complete the deactivation process, you need to remove DS records from Google Domains and work directly with your DNS provider to remove your DNSKEY resource records from your zone file.
  1. Sign in to Google Domains.
  2. Select the name of your domain.
  3. In the top left, select Menu "" and then DNS.
  4. If it’s not already selected, click Custom (Active) at the top of the page.
    • At the top of the page, if “Google Domains (Active)” is displayed beside “Custom,” you’re on Google Domains’ default name servers.
  5. Select Manage DS records.
  6. Select Delete beside all records.
  7. Select Save.
You can also work with your DNS provider to remove your DNSSEC-related resource records from your zone.

Use DNSKEY

If you use Google name servers
On Google Domains, you can check if the Domain Name System Security Extensions (DNSSEC) of your domain is on or off.
  1. On your computer, open Google Domains.
  2. Sign in with the Google Account you used to buy your domain.
  3. Select the domain name you want to manage.
  4. At the top left, select Menu Menu and then DNS.
  5. If it's not already selected, check Google Domains (Active) at the top of the page.
    • At the top of the page, if “Google Domains (Active)” is displayed beside “Custom,” you’re on Google Domains’ default name servers.
  6. Under “DNSSEC,” check if “DNSSEC enabled” is displayed.
    • If not, click Turn on.
  7. Optional: If you choose not to wait for your DNSKEY records to be published, “under DNSSEC,“ click Publish records now.
Updates may take up to 24 hours. When DNSSEC is on, Google Domains signs into the registry and publishes your DNSKEY records within 2 hours.
If you use custom name servers
If you use custom name servers, you must contact your third-party DNS provider to sign into the DNS zones for your domain.
For each DNSKEY, you can get these values from your DNS provider:
  • Flags: Information that lets the DNS and resolvers know how to interpret the DNSKEY record. By default, this value is set to 256 or 257.
  • Protocol: Indicates the version of DNSSEC used. This value is always set to 3.
  • Algorithm: Indicates the type of cryptographic algorithm used for the public/private key pair.
  • Public key: The key that DNS resolvers use to validate the DNS records haven’t been tampered with.

To add a DNSKEY record:

  1. On your computer, open Google Domains.
  2. Sign in with the Google Account you used to buy your domain.
  3. Select the domain name you want to manage.
  4. At the top left, select Menu Menu and then DNS.
  5. If it’s not already selected, click Custom (Active) at the top of the page.
    • At the top of the page, if “Google Domains (Active)” is displayed beside “Custom,” you’re on Google Domains’ default name servers.
  6. Under “DNSSEC,” click Manage records.
  7. Enter flags, protocol, algorithm, and public key from your DNS provider.
    • To add multiple records at the same time, click Create new record.
  8. Click Save.

Updates may take up to 24 hours. When DNSSEC is on, Google Domains signs into your DNS zone and publishes your DNSKEY records within 2 hours.

DNSSEC protects your domain while updates are in progress.

If you are unable to set up custom DNSSEC records for your .DE domain, you can check if the records are valid and properly set up. To check if your name servers and records can be used, you can run a DENIC pre-delegation check.
Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
false
false
true
93020
false
false