Manage DNSSEC configuration

This page describes how to enable and disable Domain Name System SecurityExtensions (DNSSEC), and verify DNSSEC deployment.

For a conceptual overview of DNSSEC, see theDNSSEC overview.

Note: You cannot enable or disable DNSSEC for existing zones that have morethan 3000 resource record sets. To sign existing large zones, consider settingup a new zone with the same DNS name with DNSSEC enabled, populating it withyour resource record sets in additional operations, and changing your delegationto point to the name server set for the new zone that has DNSSEC enabled.

Enable DNSSEC for existing managed public zones

To enable DNSSEC for existing managed public zones, follow these steps.

Console

  1. In the Google Cloud console, go to theCloud DNS page.

    Go to Cloud DNS

  2. Click the zone name for which you want to enable DNSSEC.

  3. On theZone details page, clickEdit.

  4. On theEdit a DNS zone page, clickDNSSEC.

  5. UnderDNSSEC, selectOn.

  6. ClickSave.

Your selected DNSSEC state for the zone is displayed in theDNSSECcolumn on theCloud DNS page.

gcloud

Run the following command:

gcloud dns managed-zones updateEXAMPLE_ZONE \    --dnssec-state on

ReplaceEXAMPLE_ZONE with the zone ID.

Terraform

resource "google_dns_managed_zone" "example" {  name        = "example-zone-name"  dns_name    = "example.com."  description = "Example Signed Zone"  dnssec_config {    state = "on"  }}

Enable DNSSEC when creating zones

To enable DNSSEC when you are creating a zone, follow these steps.

Console

  1. In the Google Cloud console, go to theCloud DNS page.

    Go to Cloud DNS

  2. ClickCreate zone.

  3. In theZone name field, enter a name.

  4. In theDNS name field, enter a name.

  5. UnderDNSSEC, selectOn.

  6. Optional: Add a description.

  7. ClickCreate.

    Create DNSSEC signed zone

gcloud

Run the following command:

gcloud dns managed-zones createEXAMPLE_ZONE \    --description "Signed Zone" \    --dns-name myzone.example.com \    --dnssec-state on

ReplaceEXAMPLE_ZONE with the zone ID.

Verify DNSSEC deployment

To verify correct deployment of your DNSSEC-enabled zone, make sure that youplaced the correct DS record in the parent zone. DNSSEC resolutioncan fail if either of the following occurs:

  • The configuration is wrong, or you have mistyped it.
  • You have placed the incorrect DS record in the parent zone.

To verify that you have the right configuration in place and to cross-check theDS record before placing it in the parent zone, use the following tools:

You can use the Verisign DNSSEC debugger and Zonemaster sites to validate yourDNSSEC configurationbefore you update your registrar with your Cloud DNSname servers or DS record. A domain that is properly configured for DNSSEC isexample.com,viewable using DNSViz.

Recommended TTL settings for DNSSEC-signed zones

TTL is the time to live (in seconds) for a DNSSEC-signed zone.

Important: In DNSSEC-enabled zones, avoid TTLs longer than259200 (3 days).

Unlike TTL expirations, which are relative to the time a name server sends aresponse to a query, DNSSEC signatures expire at a fixed absolute time.TTLs configured longer than a signature lifetime can lead to many clientsrequesting records at the same time as the DNSSEC signature expires.Short TTLs can also cause problems for DNSSEC-validating resolvers.

For more recommendations about TTL selection, seeRFC 6781 section 4.4.1 Time ConsiderationsandRFC 6781 Figure 11.

Note: Having a TTL that is at least a few times smaller than your signaturevalidity period avoids query load peaks.

When reading RFC 6781 section 4.4.1, consider that many signature timeparameters are fixed by Cloud DNS and you cannot change them.You cannot change the following parameters (subject to change without notice or update to this document):

  • Inception offset = 1 day
  • Validity period = 21 days
  • Re-sign period = 3 days
  • Refresh period = 18 days
  • Jitter interval = ½ day (or ±6 hours)
  • Minimum signature validity = refresh – jitter = 17.75 days = 1533600

You must never use a TTL longer than the minimum signature validity.

Disable DNSSEC for managed zones

Important: Before disabling DNSSEC for a managed zone that you want to use,you mustdeactivate DNSSEC at your domain registrarto ensure that DNSSEC-validating resolvers can still resolve names in the zone.

After you have removed DS records and waited for them to expire from cache,you can use the followinggcloud command to turn off DNSSEC:

gcloud dns managed-zones updateEXAMPLE_ZONE \    --dnssec-state off

ReplaceEXAMPLE_ZONE with the zone ID.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.