Set up DNSSEC security

Domain Name System Security Extensions (DNSSEC) help protect your domain from domain name server (DNS) threats, like cache poison attacks and DNS spoofing.

Change your DNSSEC setting

How you turn on DNSSEC depends on how you set up your name servers. Choose the implementation option that matches your setup below.

Important: If you change your name servers while DNSSEC is enabled, it may not update. 

Change your domain's setting

If you use Google Domains name servers, you can turn on DNSSEC with one click. Follow these instructions:

  1. Sign in to Google Domains.
  2. Select your domain.
  3. Open the Menu Menu
  4. Click DNS.
  5. Scroll to the "DNSSEC" box.
  6. Interact with the action button on the card to enable or disable DNSSEC.

When you turn on DNSSEC, it takes roughly 2 hours for DNSSEC to activate completely. When you turn it off, there’s a delay of up to 2 days before deactivation.

Custom name servers

If you have custom name servers, you may need a third-party DNS provider to configure DNSSEC for your domain. Additionally, you must activate DNSSEC on Google Domains.
To activate DNSSEC:
  1. Identify the one or more DNSKEY records your DNS provider created for your domain.
  2. Obtain the following values from your DNS provider:
    • Key tag: Numeric value that refers to an existing DNSKEY record.
    • Algorithm: Encryption algorithm that created the security key in the DNSKEY record. Usually paired with a hash function, as in RSA/SHA1.
    • Digest type: Algorithm used to create the digest of a DNSKEY record. Also called “digest algorithm,” “digest hash,” or “digest hash function."
    • Digest: Hashed value of the DNSKEY record that uniquely identifies it and doesn't expose the value of the key. Depending on the digest type, the length is:
      1. SHA1 - 40 hexadecimal digits
      2. SHA256 - 64 hexadecimal digits
      3. SHA384 - 96 hexadecimal digits
  3. For each DNSKEY record, create at least one delegation of signing (DS) resource record. Follow these steps:
  1. Sign in to Google Domains.
  2. Select the name of your domain.
  3. Open the Menu Menu.
  4. Click DNS.
  5. Scroll to "DNSSEC."
  6. Create an entry with the values from Step 2. 
Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue