Help Center/ Domain Name Service/ User Guide/ Public Zones/ Configuring DNSSEC
Updated on 2024-09-24 GMT+08:00
View PDF
Share

Configuring DNSSEC

What Is DNSSEC?

DNS Security Extensions (DNSSEC) provides digital signatures to ensure data integrity and authenticity of DNS requests and responses and to defend against common attacks such as DNS spoofing. This prevents you from being redirected to unexpected addresses and protects your core services.

Constraints

  • DNSSEC does not support subdomains.
  • Before disabling DNSSEC, you need to delete the DS record from the domain name service provider's system.
  • Before transferring the record sets across accounts on the DNS console, you need to delete the DS record from the domain name registrar and then disable DNSSEC on the DNS console, or DNS resolution may fail.
  • Before transferring a domain name across accounts on the Domains console, you need to delete the DS record and then disable DNSSEC on the DNS console, or DNS resolution may fail.
  • CNAME record sets cannot be configured for the second-level domain name, or the domain name cannot be resolved normally.

Process Flow

Figure 1 shows the process of configuring DNSSEC for a public zone

Figure 1 DNSSEC configuration process

Procedure

  1. Enable DNSSEC.

    1. Go to the Public Zones page.
    2. Locate the public zone for which you want to enable DNSSEC and click the domain name.

      The Record Sets tab is displayed.

    3. Click the DNSSEC tab.
    4. Click Enable DNSSEC.
      Figure 2 Enabling DNSSEC
    5. View and take a note of the following DNSSEC information:
      Key tag, digest algorithm, digest algorithm type, and digest.
      Figure 3 Viewing DNSSEC details
    6. Go to the domain name registrar to configure a DS record.

  2. Configure a DS record.

    The following are operations for domain names that are not registered with Huawei Cloud and are only for reference. For details, see the operation guide on the official website of the domain name registrar.

    1. Log in to the management console.
    2. In the public zone list, locate the public zone and click More > Manage in the Operation column.
    3. Click DNSSEC.
    4. Click Add DS Record.
    5. Configure the parameters as prompted and enter the DNSSEC information recorded in 1.e.
      • Key Tag: Enter the recorded key tag.
      • Algorithm: Enter the recorded signature algorithm type and signature algorithm.

        Format: Signature algorithm type-Signature algorithm

      • Digest Type: Enter the recorded digest algorithm type and digest algorithm.

        Format: Digest algorithm type-Digest algorithm

      • Digest: Enter the recorded digest.
    6. Click OK.

Verification

Use the test tool to verify that the configuration has taken effect.

Parent topic: Public Zones