All Products
Search
Document Center

Domain Names:Configure DNSSEC

Last Updated:Oct 15, 2025

If the DNS resolution for a domain name is hijacked, users can be redirected to malicious addresses or phishing websites.
This can cause them to leak sensitive information, such as account credentials and order details, on fraudulent pages. Alibaba Cloud provides Domain Name System Security Extensions (DNSSEC) to add a digital signature to your domain name. If a resolver detects a forged response, it rejects the response. This ensures that users always access the authentic service.

How it works

DNSSEC does not change the DNS query process. Instead, it uses digital signatures and hierarchical validation to ensure that the resolution results that users receive are not forged or tampered with.

The process has two phases:

Configuration phase (administrator operation)

  1. Enable DNSSEC with your authoritative DNS provider, such as Alibaba Cloud DNS. The system generates a key, signs all records, and creates a Delegation Signer (DS) record. The DS record is a cryptographic fingerprint of the public key.

  2. Submit the DS record to Alibaba Cloud, which syncs it to the official databases for top-level domains (TLDs), such as .com.

This process is similar to registering your public key with a higher authority.

Validation phase (automatic)

When a user accesses the domain name, a DNSSEC-aware resolver performs the following steps:

  1. Obtain the registered DS record (the official fingerprint) from the .com top-level domain.

  2. Retrieves the current public key (DNSKEY) from the domain's DNS provider.

  3. Calculates a fingerprint from the DNSKEY and compares it with the DS record. If they match, the resolver trusts the response. Otherwise, it rejects the response.

Only validated DNS data is returned to the user. This effectively prevents cache pollution and man-in-the-middle attacks.

Procedure

Step 1: Get the DS record from your DNS provider

  • If your DNS service is hosted on Alibaba Cloud: On the Alibaba Cloud DNS - Authoritative DNS page, find the target domain name in the domain name list and click DNSSEC Settings to the right of the domain name. After you enable the feature, obtain the required information from the configuration page.

    image

  • If your DNS service is not on Alibaba Cloud: Obtain the DS record from your DNS provider.

Step 2: Add the DS record in the Alibaba Cloud Domain Names console

  1. On the Domain Name List page, find the domain name that you want to configure, and in the Actions column, click Manage. On the DNSSEC Settings page, click Add DS Record.

  2. Enter the DS data that you obtained from your DNS provider. Then, click Submit and complete the verification.

Note

You can add a maximum of eight DS records for each domain name.

Step 3: Verify the configuration

  • Recommended tool: DNSViz

  • Verification method: Enter your domain name in the tool and start the analysis. If the results show a DS record at each level and there are no red error boxes, DNSSEC is enabled and working correctly.

Manage DNSSEC records

Sync DS records

If you transfer a domain name to Alibaba Cloud from another domain name registrar and have already added DNSSEC records at the original registrar, you can click Sync DS Records on the DNSSEC Settings page to sync the DNSSEC records to the Alibaba Cloud Management Console. You do not need to add the records manually.

Disable DNSSEC

  1. On the DNSSEC Settings page, delete the DS record.

  2. In your DNS provider's console, disable DNSSEC.

Recommendations for production environments

  • If your paid DNS plan is about to expire and you do not plan to renew it, you must first delete the DS record at your domain name registrar and then disable DNSSEC in the Alibaba Cloud DNS console. This prevents resolution failures.

  • If you have DNSSEC enabled and want to transfer a domain name to another Alibaba Cloud account, you must first delete the DS record at your domain name registrar and then disable DNSSEC in the Alibaba Cloud DNS console. This prevents resolution failures.

  • If you have DNSSEC enabled and want to transfer DNS resolution for a domain name to another Alibaba Cloud account, you must first delete the DS record at your domain name registrar and then disable DNSSEC in the Alibaba Cloud DNS console. This prevents resolution failures.

FAQ

Why do I need to disable DNSSEC when I transfer a domain name?

To avoid resolution failures, disable DNSSEC before you transfer a domain name. DNSSEC relies on the DS record at the registrar to authenticate DNS responses. If you do not delete the DS record before the transfer, the chain of trust breaks. Recursive resolvers then reject the responses, which causes a service interruption. You can re-enable DNSSEC after the transfer is complete.

Why is there no DNSSEC Settings option in the console for my domain name?

Not all domain name suffixes are supported. Currently, supported suffixes include .com, .net, .cc, .tv, .name, .biz, .club, .cn, and .top. If you cannot find the DNSSEC Settings option in the Domain Names console, this indicates that the suffix for your domain name does not support this feature.