Overview
DNS Security Extensions (DNSSEC) can help you prevent attacks such as Domain Name System (DNS) cache poisoning. DNSSEC provides you with digital signatures to verify the authenticity and integrity of DNS response packets. This ensures that customers are not redirected to forged URLs, improves the trust of customers in the Internet, and protects your core business.
Usage notes
DNSSEC is available to users of paid Public Authoritative DNS Resolution instances.
If a subdomain name is independently hosted by DNS servers, DNSSEC cannot be enabled for the subdomain name.
If the secondary DNS feature is enabled for a domain name, DNSSEC cannot be enabled for the domain name.
After a paid Public Authoritative DNS Resolution instance expires, if you no longer need to use the paid instance, you must first go to the domain name registrars to delete the delegation signer (DS) records added for the domain names bound to the instance, and then disable DNSSEC in the Alibaba Cloud DNS console to prevent the failure of resolution on the domain names.
After DNSSEC is enabled for a domain name and the domain name is transferred from Account A to Account B, you must first delete the DS record added for the domain name at the domain name registrar, and then disable DNSSEC in the Alibaba Cloud DNS console to prevent the failure of resolution on the domain name.
After DNSSEC is enabled for a domain name and the DNS records of the domain name are transferred from Account A to Account B, you must first delete the DS record added for the domain name at the domain name registrar, and then disable DNSSEC in the Alibaba Cloud DNS console to prevent the failure of resolution on the domain name.
After DNSSEC is enabled for a domain name and the domain name is unbound from a paid instance, you must first delete the DS record added for the domain name at the domain name registrar, and then disable DNSSEC in the Alibaba Cloud DNS console to prevent the failure of resolution on the domain name.
DNSSEC takes effect only if both the DNS service provider and the domain name registrar support DNSSEC. Alibaba Cloud DNS and Alibaba Cloud support DNSSEC.
Procedure for enabling DNSSEC
Log on to the Alibaba Cloud DNS console.
On the Authoritative Domain Names tab of the Domain Name Resolution page, find the domain name for which you want to enable DNSSEC and click DNS Settings in the Actions column.
Click the DNS Protection tab and click the DNSSEC tab. On the DNSSEC tab, click Enable DNSSEC.
Copy the information about the DS record such as Key Tag, Encryption Algorithm, Digest Type, and Digest, and add a DS record at the domain name registrar.
If the domain name registrar is Alibaba Cloud, refer to Configure DNSSEC.
Method of testing DNSSEC effectiveness
Click here to test DNSSEC effectiveness.
Check whether DNSSEC is enabled
Take dns-example.com as an example. If no DS is displayed in the space enclosed by the yellow circle, DNSSEC is disabled for dns-example.com.
DNSSEC takes effect
On the test page, if DS is displayed in each level, and no red framework that displays a warning notice appears, DNSSEC is enabled and takes effect.
DNSSEC does not take effect
If a red framework that displays a warning notice appears on the test page, DNSSEC does not take effect. You can submit a ticket to troubleshoot.
Procedure for disabling DNSSEC
Step 1: Delete the DS record at the domain name registrar
The following section describes how to delete the DS record of a domain name registered with Alibaba Cloud.
Log on to the Domains console.
In the left-side navigation pane, click Domain Names. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
In the left-side navigation pane, choose DNS Management > DNSSEC Configurations and click Delete in the Actions column that corresponds to the desired DS record.
Step 2: Disable DNSSEC in the Alibaba Cloud DNS console
Log on to the Alibaba Cloud DNS console.
On the Domain Name Resolution page, find the desired domain name and click DNS Settings in the Actions column.
Click the DNS Protection tab and click the DNSSEC tab. On the DNSSEC tab, click Disable DNSSEC.
WarningPerform the preceding operations in order. Otherwise, the resolution on the domain name may fail.