Setting up DNSSEC security

Domain Name System Security Extensions (DNSSEC) help to protect your domain from domain name server (DNS) threats, like cache poison attacks and DNS spoofing.

How to change your DNSSEC setting

How you turn on DNSSEC depends on how you've set up your name servers. Choose the implementation option that matches your setup below.

We strongly recommend that you do not change your name servers while DNSSEC is enabled. If you do, your domain may not resolve.

Google Domains name servers

If you're using Google Domains name servers, you can turn on DNSSEC with one click. Follow these instructions:

  1. Navigate to Google Domains: domains.google.com/registrar.
  2. In the left-hand navigation menu, click My domains.
  3. Find the domain name that you'd like to change your DNSSEC setting for. Select the DNS tab.
  4. Scroll to DNSSEC.
  5. Toggle Enable DNSSEC/Disable DNSSEC to change the domain's setting.

When you turn on DNSSEC, it takes roughly two hours for DNSSEC to activate completely. When you turn it off, there's a delay of up to two days before deactivation.

Custom name servers

If you have custom name servers, you may need a third-party DNS provider to configure DNSSEC for your domain. Additionally, you must activate DNSSEC on Google Domains. Follow the instructions below:
  1. Identify one or more DNSKEY records that your DNS provider created for your domain.
  2. Obtain the following values from your DNS provider:
    • Key tag: Numeric value that refers to an existing DNSKEY record.
    • Algorithm: Encryption algorithm that created the security key in the DNSKEY record. Usually paired with a hash function, as in RSA/SHA1.
    • Digest type: Algorithm used to create the digest of DNSKEY record. Also called 'digest algorithm', 'digest hash' or 'digest hash function'.
    • Digest: Hashed value of the DNSKEY record that uniquely identifies it without exposing the value of the key. Depending on the digest type, the length is:
      1. SHA1 – 40 hexadecimal digits
      2. SHA256 – 64 hexadecimal digits
      3. SHA384 – 96 hexadecimal digits
  3. For each DNSKEY record, create at least one delegation of signing (DS) resource record. Follow these steps:
    1. Navigate to Google Domains: domains.google.com/registrar
    2. In the left-hand navigation menu, click My domains
    3. Find the domain name that you'd like to create a DS record for. Click the DNS tab.
    4. Scroll to DNSSEC.
    5. Create an entry using the values from previous steps. 
Was this helpful?
How can we improve it?