The Domain Name System Security Extensions (DNSSEC) is a feature of the DomainName System (DNS) that authenticates responses to domain name lookups.It doesnot provide privacy protections for those lookups,but prevents attackers from manipulating or poisoning the responses to DNSrequests.

To protect domains from spoofing and poisoning attacks, enable and configureDNSSEC in the following places:

1. The DNS zone. If youenable DNSSEC fora zone, Cloud DNS automatically manages the creation and rotation ofDNSSEC keys (DNSKEY records) and the signing of zone data with resourcerecord digital signature (RRSIG) records.

2. The top-level domain (TLD) registry (forexample.com, this would be.com).In your TLD registry, you must have a DS record that authenticates a DNSKEYrecord in your zone. Do this byactivating DNSSECat your domain registrar.

3. The DNS resolver. For full DNSSEC protection, you must use a DNS resolverthatvalidates signatures for DNSSEC-signed domains. You can enablevalidation for individual systems or your local caching resolvers if youadminister your network's DNS services.

   For more information about DNSSEC validation, see the following resources:

   • Do you have DNSSEC validation enabled?
   • Deploying DNSSEC with BIND and Ubuntu Server(Part 1)
   • DNSSEC Guide: Chapter 3. Validation
   • DNSSEC

   You can also configure systems to use public resolvers that validate DNSSEC,notablyGoogle Public DNSandVerisign Public DNS.

The second point limits the domain names where DNSSEC can work.Both theregistrar and registrymust support DNSSEC for the TLD that you are using. If you cannot add a DSrecord through your domain registrar to activate DNSSEC,enabling DNSSEC in Cloud DNS has no effect.

Before enabling DNSSEC, check the following resources:

• The DNSSEC documentation for both your domain registrar and TLD registry
• TheGoogle Cloud community tutorial's domain registrar-specificinstructions
• TheICANN list of domain registrar DNSSEC support to confirm DNSSEC support for your domain.

If the TLD registry supports DNSSEC, but your registrar does not(or does not support it for that TLD), you might be able to transferyour domains to a different registrar that does. After you have completed thatprocess, you can activate DNSSEC for the domain.

Management operations

For step-by-step instructions for managing DNSSEC, see the following resources:

• To change the DNSSEC state of the zone fromTransfer toOn, seeLeaving DNSSEC transfer state.

• To enable DNSSEC for delegated subdomains, seeDelegating DNSSEC-signed subdomains.

Record set types enhanced by DNSSEC

For more information about record set types and other record types, see thefollowing resources:

• To control which public certificate authorities (CAs) can generate TLS orother certificates for your domain, seeCAA records.

• To enable opportunistic encryption through IPsec tunnels, seeIPSECKEY records.

DNS record types with DNSSEC-secured zones

For more information about DNS record types and other record types, see thefollowing resource:

• To enable SSH client applications to validate SSH servers, seeSSHFP records.

Migration or transfer of DNSSEC-enabled zones

Cloud DNS supports migrating DNSSEC-enabled zones where DNSSEC has beenactivated at the domain registry without breaking the chain of trust. You canmigrate zones to or from other DNS operators that also support migration.

• To migrate a DNSSEC-signed zone to Cloud DNS, seeMigrate DNSSEC-signed zones to Cloud DNS.

• To migrate a DNSSEC-signed zone to another DNS operator, seeMigrate DNSSEC-signed zones from Cloud DNS.

If your existing domain is hosted by your registrar, we recommend migrating thename servers to Cloud DNS before transferring to another registrar.

What's next

• To view DNSSEC key records, seeView DNSSEC keys.
• To work with managed zones, seeCreate, modify, and delete zones.
• To find solutions for common issues that you might encounter when usingCloud DNS, seeTroubleshooting.
• To get an overview of Cloud DNS, seeCloud DNS overview.