All Products
Search
Document Center

Configure DNS Security Extensions

Last Updated: Apr 26, 2020

DNSSEC

DNS Security Extensions (DNSSEC) provides you with digital signatures to verify the destinations URLs that your domain names are redirected to. You can add DNSSEC records to a domain name to authenticate the DNS servers that host your domain name. This helps you avoid attacks such as DNS cache poisoning.

DNSSEC Precautions for use

  1. DNSSEC is currently open to paid version DNS users (unlimited version).

  2. If the DNS function is independently hosted by the subdomain, DNSSEC is not supported.

  3. Using secondary DNS function, DNSSEC is not supported.

  4. When the paid version of DNS expires, if you plan to stop using the paid version of DNS, you should first go to the domain name registrar to delete the DS records, and then close DNSSEC in the cloud resolution DNS console to avoid the failure of the resolution.

  5. When the DNSSEC service has been started and the function of “transfer between domain names and accounts” is used, it refers to the transfer of domain names from account A to account B. First, the DS records shall be deleted from the domain name registrar, and then DNSSEC shall be closed from the cloud resolution DNS console to avoid the failure of resolution.

  6. When the DNSSEC service has been started and the function of “cross-account transfer DNS resolution” is used, the DNS resolution of domain name is transferred from account A to account B. First, the DS records should be deleted from the domain name registrar, and then DNSSEC should be closed from the cloud resolution DNS console to avoid the failure of resolution.

  7. DNSSEC service has been started, when using the “unbind domain name” function, you need to go to the domain name registrar to delete DS records, and then in the cloud resolution DNS console to close DNSSEC, to avoid the resolution failure.

  8. DNSSEC function requires both DNS and DNS to support DNSSEC before it can take effect. Currently, both cloud DNS and aliyun domain name registrar support this service.

DNSSEC Set the method

① The login Cloud resolution DNS console

② Select the domain name to open DNSSEC, and click the resolution Settings button.

解析设置new

③ Menu select DNS security , TAB select DNSSEC, click to open DNSSEC button

开启DNSSEC

④ Copy DS record information such as Key Tag, Algorithm, Digest Type, Digest, and then add a DS record to the domain registrar.

获取DS信息

⑤ Take aliyun domain name registrar as an example, Please refer to the Domain name system security extension(DNSSEC)configuration documentation

DNSSEC effectiveness test method

Please use the Testing tools to test。

Check whether DNSSEC is on

Take dns-example.com as an example, for example, there is no DS displayed in the area of the circle to represent that the DNSSEC service is not opened

未开启DNSSEC

DNSSEC has come into force

In the test page, if each level shows the DS, and there is no red error box, indicating that the DS has been opened and has taken effect.

DNSSEC已生效

DNSSEC inactive

For example, if there is an error report in the red box on the test page, it means that DNSSEC is not effective and can be contacted the after-sales service.

未生效报错