Configuring DNSSEC

What Is DNSSEC?

DNS Security Extensions (DNSSEC) provides digital signatures to ensure data integrity and authenticity of DNS requests and responses and to defend against common attacks such as DNS spoofing. This prevents you from being redirected to unexpected addresses and protects your core services.

Constraints

  • To use DNSSEC, both the domain name registrar and the DNS service provider must support DNSSEC.

  • DNSSEC supports only primary domain names.

  • Before disabling DNSSEC, you need to delete the DS record from the domain name service provider's system.

  • CNAME record sets cannot be configured for the second-level domain name, or the domain name cannot be resolved normally.

Process Flow

Figure 1 shows the process of configuring DNSSEC for a public zone

**Figure 1** DNSSEC configuration process

Figure 1 DNSSEC configuration process

Procedure

  1. Enable DNSSEC.

    1. Log in to the management console.

    2. In the service list, choose Network > Domain Name Service.

      The DNS console is displayed.

    3. In the navigation pane on the left, choose Public Zones.

      The Public Zones page is displayed.

    4. Locate the public zone for which you want to enable DNSSEC and click the domain name.

      The Record Sets tab is displayed.

    5. Click the DNSSEC tab.

    6. Click Enable DNSSEC.

      **Figure 2** Enabling DNSSEC

      Figure 2 Enabling DNSSEC

    7. View and take a note of the following DNSSEC information:

      Key tag, digest algorithm, digest algorithm type, and digest.

      **Figure 3** Viewing DNSSEC details

      Figure 3 Viewing DNSSEC details

    8. Go to the domain name registrar to configure a DS record.

  2. Configure a DS record.

    The following are operations for domain names that are registered with a domain name registrar and are only for reference. For details, see the operation guide on the official website of the domain name registrar.

    1. Please create a DS record for DNSSEC on your domain name registrar's website.

    2. Configure the parameters as prompted and enter the DNSSEC information recorded in 1.g.

      • Key Tag: Enter the recorded key tag.

      • Algorithm: Enter the recorded signature algorithm type and signature algorithm.

        Format: Signature algorithm type-Signature algorithm

      • Digest Type: Enter the recorded digest algorithm type and digest algorithm.

        Format: Digest algorithm type-Digest algorithm

      • Digest: Enter the recorded digest.

Verification

Use the test tool to verify that the configuration has taken effect.

last updated: 2025-04-02 11:04 UTC - commit: 0c0de7d4160249af074bd6952c35a746081f25f5