Alibaba Cloud DNS:DNSSEC

What is DNSSEC

Domain Name System Security Extensions (DNSSEC) is a feature that helps prevent attacks such as DNS spoofing and cache pollution. It uses digital signatures to ensure the authenticity and integrity of DNS response messages. This protects users from being redirected to unintended addresses, which increases trust in the Internet and helps secure your core business.

Notes on using DNSSEC

1. DNSSEC is available to users of any paid edition of Alibaba Cloud DNS.

2. If you use the subdomain hosting feature, you cannot enable DNSSEC.

3. If you use the Secondary DNS feature, you cannot enable DNSSEC.

4. If your paid Alibaba Cloud DNS subscription expires and you do not plan to renew it, first delete the DS record at your domain name registrar. Then, disable DNSSEC in the Alibaba Cloud DNS console. This prevents domain name resolution failures.

5. If you have DNSSEC enabled and want to transfer a domain name from Account A to Account B, first delete the DS record at your domain name registrar. Then, disable DNSSEC in the Alibaba Cloud DNS console. This prevents domain name resolution failures.

6. If you have DNSSEC enabled and want to transfer the DNS resolution service for a domain name from Account A to Account B, first delete the DS record at your domain name registrar. Then, disable DNSSEC in the Alibaba Cloud DNS console. This prevents domain name resolution failures.

7. If you have DNSSEC enabled and want to detach a domain name, first delete the DS record at your domain name registrar. Then, disable DNSSEC in the Alibaba Cloud DNS console. This prevents domain name resolution failures.

8. For DNSSEC to work, both your domain name resolution provider and your domain name registrar must support it. Both Alibaba Cloud DNS and the Alibaba Cloud domain name registrar support this feature.

Enable DNSSEC

1. Log on to the Alibaba Cloud DNS - Authoritative Zone page. Select the domain name for which you want to enable DNSSEC, and then click More > DNSSEC Settings.

2. On the DNSSEC Settings page, enable DNSSEC.

3. Copy the DS record information, such as Key Tag, Encryption Algorithm, Digest Type, and Digest. Then, add a DS record at your domain name registrar.

4. For example, if your registrar is Alibaba Cloud, see Configure DNSSEC.

Test if DNSSEC is enabled

Use this testing tool.

Check whether DNSSEC is enabled

For example, for dns-example.com, if DS is not displayed in the circled area, DNSSEC is not enabled.

DNSSEC is enabled

If DS is displayed at each level on the test page and no red error boxes appear, DS is successfully enabled.

DNSSEC has not taken effect

For example, if a red error box appears on the test page, DNSSEC has not taken effect. You can submit a ticket to troubleshoot the issue.

Disable DNSSEC

Step 1: Delete the DS record at your domain name registrar

Example for a domain name registered with Alibaba Cloud:

1. Log on to the Domain Names console.

2. On the Domain Names page, find the target domain name and click Manage in the Actions column.

3. In the navigation pane on the left, click DNSSEC Configurations. Then, find the DS record and click Delete.

Step 2: Disable DNSSEC in the Alibaba Cloud DNS console

1. On the Alibaba Cloud DNS - Authoritative Zone page, select the domain name, and then click More > DNSSEC Configurations.

2. On the DNSSEC Configuration page, disable the feature.

   Warning

   You must perform Step 1 and Step 2 in order. Otherwise, domain name resolution failures may occur.

FAQ

Do yellow warnings in the DNSSEC validation results have any impact?

Yellow warnings do not affect the DNSSEC functionality for your domain name. Because Alibaba Cloud's authoritative DNS uses smart resolution, the IP address returned by the authoritative DNS may be different from the authenticated glue address record. This is normal behavior.