All Products
Search
Document Center

Alibaba Cloud DNS:DNSSEC

Last Updated:Jul 05, 2025

What is DNSSEC

DNS Security Extensions (DNSSEC) effectively prevents attacks such as DNS spoofing and cache pollution when enabled. It uses digital signatures to ensure the authenticity and integrity of DNS response packets, protecting users from being redirected to unexpected addresses. This increases user trust in the Internet and protects your core business.

DNSSEC usage considerations

  1. DNSSEC is currently available to paid DNS users (all versions).

  2. DNSSEC cannot be enabled when using the independent DNS hosting feature for subdomains.

  3. DNSSEC cannot be enabled when using the Secondary DNS feature.

  4. When your paid DNS version expires and you do not plan to continue using it, you need to first delete the DS record at your domain registrar, and then disable DNSSEC in the Cloud DNS console to avoid resolution failures.

  5. If you have enabled DNSSEC service and use the "domain transfer between accounts" feature to transfer a domain from account A to account B, you need to first delete the DS record at your domain registrar, and then disable DNSSEC in the Cloud DNS console to avoid resolution failures.

  6. If you have enabled DNSSEC service and use the "cross-account DNS resolution transfer" feature to transfer domain DNS resolution from account A to account B, you need to first delete the DS record at your domain registrar, and then disable DNSSEC in the Cloud DNS console to avoid resolution failures.

  7. If you have enabled DNSSEC service and use the "detach domain" feature, you need to first delete the DS record at your domain registrar, and then disable DNSSEC in the Cloud DNS console to avoid resolution failures.

  8. For DNSSEC to be effective, both the domain resolution service provider and the domain registrar must support DNSSEC. Currently, both Cloud DNS and Alibaba Cloud domain registrar support this service.

How to enable DNSSEC

  1. Log on to the Cloud DNS - Public Authoritative DNS Resolution page, select the domain for which you want to enable DNSSEC, and click More - DNSSEC Settings.

  2. On the DNSSEC Settings page, enable DNSSEC.

  3. Copy the DS record information such as Key Tag, Algorithm, Digest Type, and Digest, and then add a DS record at your domain registrar.

  4. For Alibaba Cloud domain registrar, see the DNS Security Extensions (DNSSEC) Configuration document.

How to test if DNSSEC is effective

You can use the Test Tool to test.

Check if DNSSEC is enabled

Taking dns-example.com as an example, if the circled area does not show DS, it means DNSSEC service is not enabled.

未开启DNSSEC

DNSSEC is effective

If the test page shows DS at each level and there are no red error boxes, it means DS has been enabled and is effective.

DNSSEC已生效

DNSSEC is not effective

If red error boxes appear on the test page, it means DNSSEC is not effective. You can submit a ticket to troubleshoot.

未生效报错

How to disable DNSSEC

Step 1: Delete the DS record at your domain registrar.

For domains registered with Alibaba Cloud:

  1. Log on to the Domain Name Console.

  2. On the Domain List page, click Manage in the Actions column for the target domain.

  3. In the left-side navigation pane, click DNSSEC Settings under DNS Management, and then click Delete next to the DS record.

Step 2: Disable DNSSEC in the Cloud DNS console

  1. On the Cloud DNS - Public Authoritative DNS Resolution page, select the domain for which you want to disable DNSSEC, and click More - DNSSEC Settings.

  2. Disable DNSSEC on the DNSSEC Settings page.

    Warning

    You must follow the order of Step 1 and Step 2. Otherwise, resolution failures may occur.