Updated on 2025-08-27 GMT+08:00

Configuring DNSSEC

What Is DNSSEC?

Domain Name System Security Extensions (DNSSEC) provides digital signatures to ensure the integrity and authenticity of DNS response packets and to defend against common attacks such as DNS spoofing and cache pollution. This prevents you from being redirected to unexpected addresses and protects your core services.

Constraints

  • To use DNSSEC, both the domain name registrar and the DNS service provider must support DNSSEC.
  • DNSSEC does not support subdomains.
  • Before disabling DNSSEC, you need to delete the DS record from the domain name service provider's system.
  • Before transferring the record sets across accounts on the DNS console, you need to delete the DS record from the domain name registrar and then disable DNSSEC on the DNS console, or DNS resolution may fail.
  • Before transferring a domain name across accounts on the Domains console, you need to delete the DS record and then disable DNSSEC on the DNS console, or DNS resolution may fail.
  • CNAME record sets cannot be configured for the second-level domain name, or the domain name cannot be resolved normally.
  • When adding a record set for a domain name with DNSSEC enabled, disable Alias. Otherwise, the domain name cannot be resolved.

Process Flow

Figure 1 shows the process of configuring DNSSEC for a public zone.

Figure 1 DNSSEC configuration process

Procedure

  1. Enable DNSSEC.

    1. Go to the Public Zones page.
    2. Locate the public zone for which you want to enable DNSSEC and click the domain name.
    3. Click the DNSSEC tab.
    4. Click Enable DNSSEC.
      Figure 2 Enabling DNSSEC
    5. View and take a note of the following DNSSEC information:
      Key tag, digest algorithm, digest algorithm type, and digest.
      Figure 3 Viewing DNSSEC details
    6. Go to the domain name registrar to configure a DS record.

  2. Configure a DS record.

    The following are operations for domain names that are not registered with Huawei Cloud and are only for reference. For details, see the operation guide on the official website of the domain name registrar.

    1. Log in to the management console.
    2. In the public zone list, locate the public zone and click More > Manage in the Operation column.
    3. Click DNSSEC.
    4. Click Add DS Record.
    5. Configure the parameters as prompted and enter the DNSSEC information recorded in 1.e.
      • Key Tag: Enter the recorded key tag.
      • Algorithm: Enter the recorded signature algorithm type and signature algorithm.

        Format: Signature algorithm type-Signature algorithm

      • Digest Type: Enter the recorded digest algorithm type and digest algorithm.

        Format: Digest algorithm type-Digest algorithm

      • Digest: Enter the recorded digest.
    6. Click OK.

Verification

Use the test tool to verify that the configuration has taken effect.

  • On the test page, if DS is displayed at all layers and no error message in red is displayed, the DS function has been enabled and taken effect.

  • If an error message in the red box is displayed on the test page, the DNSSEC configuration does not take effect. In this case, submit a service ticket for troubleshooting.

  • If DS is not displayed in the red box in the following figure, no DS record is configured or DNSSEC is not enabled. In this case, check the DS configuration and enable DNSSEC.