Set up DNSSEC security

To prevent threats like cache poison attacks and NDS spoofing, Domain Name System Security Extensions (DNSSEC) authenticates exchanges of information.

Domain Name System (DNS) translates human-readable domain names like google.com into the machine-readable IP addresses for a given website like 172.217.3.206. 

To use this additional security, you must set up DNSSEC for a domain name. To complete DNSSEC setup, you must:

  • Add DNSSEC-related resource records to your DNS or signing zone.
  • Publish DNS resource records for your domain.

After you do these steps, you must first wait for the changes to update across the internet. This can take up to 24 hours. If you use Google Domains automatic DNSSEC setup, we handle both steps for you, which includes the waiting periods.

Enable DNSSEC for your domain

How you enable DNSSEC for your domain depends on how you manage your name servers.

• If you use Google Domains name servers

Tip: If you originally purchased your domain name from Google Domains, DNSSEC may already be set up for you.

  1. Sign in to Google Domains.
  2. Select the name of your domain.
  3. In the top left, select Menu  and then DNS.
  4. If it’s not already selected, at the top of the page, select Google Domains (Active).

Tip: At the top of the page, if “Google Domains (Active)” is displayed beside “Custom,” you’re on Google Domains’ default name servers.

  1. Scroll to the "DNSSEC" card.

Tip: If DNSSEC is already turned on, “DNSSEC enabled” is displayed.

  1. Click Turn on.

When you turn on DNSSEC, Google Domains automatically signs your DNS zone and publishes your DS records within 2 hours. Once these update across the internet, your domain is protected by DNSSEC. This can take up to 24 hours.

If you want to bypass any waiting periods between steps, expand the “DNSSEC” card and use the buttons there. For example, if you don’t wish to wait for your DS records to be published, click Publish DS records now.

• If you use custom name servers

If you use custom name servers, you need to work with your third-party DNS provider to sign the DNS zone for your domain. For each DNSKEY, get the following values from your DNS provider:

  • Key tag: Numeric value that refers to an existing DNSKEY record.
  • Algorithm: Encryption algorithm that creates the security key in the DNSKEY record. It’s usually paired with a hash function like RSA/SHA1.
  • Digest type: Algorithm used to create the digest of a DNSKEY record. It’s also called digest algorithm, digest hash, or digest hash function.
  • Digest: Hashed value of the DNSKEY record that uniquely identifies it and doesn't expose the value of the key. Based on the digest type, the length can be:
    • SHA1 - 40 hexadecimal digits
    • SHA256 - 64 hexadecimal digits
    • SHA384 - 96 hexadecimal digits

For each DNSKEY record, create at least one delegation of signing (DS) resource record in Google Domains:

  1. Sign in to Google Domains.
  2. Select the name of your domain.
  3. In the top left, select Menu  and then DNS.
  4. If it’s not already selected, click Custom (Active) at the top of the page

Tip: At the top of the page, if “Google Domains (Active)” is displayed beside “Custom,” you’re on Google Domains’ default name servers.

  1. Scroll to the "DNSSEC” box.
  2. Select Manage DS records.
  3. Enter the information from your DNS provider. To add multiple records at the same time, click Create new record.
  4. When you’re done, click Save.

 Deactivate DNSSEC for your domain

• If you use Google Domains name servers

  1. Sign in to Google Domains.
  2. Select the name of your domain.
  3. In the top left, select Menu  and then DNS.
  4. If it’s not already selected, click Google Domains (Active) at the top of the page.

Tip: At the top of the page, if “Google Domains (Active)” is displayed beside “Custom,” you’re on Google Domains’ default name servers.

  1. Scroll down to the “DNSSEC” box.
  2. Select Turn off.

When you turn off DNSSEC, Google Domains immediately unpublishes your domain’s DS records. Once that change updates across the internet, your domain is no longer DNSSEC protected. This can take up to 48 hours. After that, Google Domains may unsign your DNS zone to complete the DNSSEC deactivation.

• If you use custom name servers

To complete the deactivation process, you need to remove DS records from Google Domains and work directly with your DNS provider to remove your DNSKEY resource records from your zone file.

  1. Sign in to Google Domains.
  2. Select the name of your domain.
  3. In the top left, select Menu  and then DNS.
  4. If it’s not already selected, click Custom (Active) at the top of the page.

Tip: At the top of the page, if “Google Domains (Active)” is displayed beside “Custom,” you’re on Google Domains’ default name servers.

  1. Select Manage DS records.
  2. Select Delete  beside all records.
  3. Select Save.

You can also work with your DNS provider to remove your DNSSEC-related resource records from your zone.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
93020
false