All Products
Search

This Product

    Alibaba Cloud DNS:Configure DNS Security Extensions

    Document Center

    Alibaba Cloud DNS:Configure DNS Security Extensions

    Last Updated:Feb 23, 2023

    DNSSEC

    DNS Security Extensions (DNSSEC) provides you with digital signatures to verify the destinations URLs that your domain names are redirected to. You can add DNSSEC records to a domain name to authenticate the DNS servers that host your domain name. This helps you avoid attacks such as DNS cache poisoning.

    DNSSEC Precautions for use

    1. DNSSEC is currently open to paid version DNS users (unlimited version).

    2. If the DNS function is independently hosted by the subdomain, DNSSEC is not supported.

    3. Using secondary DNS function, DNSSEC is not supported.

    4. When the paid version of DNS expires, if you plan to stop using the paid version of DNS, you should first go to the domain name registrar to delete the DS records, and then close DNSSEC in the cloud resolution DNS console to avoid the failure of the resolution.

    5. When the DNSSEC service has been started and the function of “transfer between domain names and accounts” is used, it refers to the transfer of domain names from account A to account B. First, the DS records shall be deleted from the domain name registrar, and then DNSSEC shall be closed from the cloud resolution DNS console to avoid the failure of resolution.

    6. When the DNSSEC service has been started and the function of “cross-account transfer DNS resolution” is used, the DNS resolution of domain name is transferred from account A to account B. First, the DS records should be deleted from the domain name registrar, and then DNSSEC should be closed from the cloud resolution DNS console to avoid the failure of resolution.

    7. DNSSEC service has been started, when using the “unbind domain name” function, you need to go to the domain name registrar to delete DS records, and then in the cloud resolution DNS console to close DNSSEC, to avoid the resolution failure.

    8. DNSSEC function requires both DNS and DNS to support DNSSEC before it can take effect. Currently, both cloud DNS and aliyun domain name registrar support this service.

    DNSSEC Set the method

    1 . Log on to the Alibaba Cloud DNS console.

    2 .click a domain name to go to the DNS Settings page.

    domainlist

    3 . In the left-side navigation pane of the DNS Settings page, click DNS Protection, and Enable DNSSEC.

    dnssec

    4 . Copy DS record information such as Key Tag, Algorithm, Digest Type, Digest, and then add a DS record to the domain registrar.

    获取DS信息

    5 .Take aliyun domain name registrar as an example, Please refer to the Domain name system security extension (DNSSEC) configuration documentation

    DNSSEC effectiveness test method

    Please use the Testing tools to test.

    Check whether DNSSEC is on

    Take dns-example.com as an example, for example, there is no DS displayed in the area of the circle to represent that the DNSSEC service is not opened

    未开启DNSSEC

    DNSSEC has come into force

    In the test page, if each level shows the DS, and there is no red error box, indicating that the DS has been opened and has taken effect.

    DNSSEC已生效

    DNSSEC inactive

    For example, if there is an error report in the red box on the test page, it means that DNSSEC is not effective and can be contacted the after-sales service.

    未生效报错