NavigationContentFooter
Jump toSuggest an edit

How to enable DNSSEC

Reviewed on 19 August 2024Published on 26 May 2021
Important

This documentation applies to the legacy domain product previously offered by Online.net. For managing your domain names with the latest features, we recommend using Scaleway’s Domains and DNS service.

Since its design in 1983, DNS has been vulnerable to attacks. Attackers can falsify responses to DNS queries, which allows them to redirect end users to websites under their control. In response to these threats, DNSSEC was deployed. DNSSEC cryptographically ensures that DNS content cannot be modified from its source without being detected. It works by digitally signing each DNS record so that any tampering of that record can be detected.

DNSSEC therefore involves:

  • the domain’s DNS server
  • the registrar
  • the registry
  • the provider’s DNS server

DNSSEC should only be used by experienced users, due to the propagation time of the DNS cache. If you do want to configure DNSSEC yourself, bear in mind that:

  • You should always use external tools such as https://dnssec-analyzer.verisignlabs.com/ or http://dnsviz.net/
  • Not all registries support the same algorithms
  • Not all DNS servers (clients) verify DNSSEC, you can achieve responses on them despite bad DNSSEC configuration
Important

This page shows you how to enable DNSSEC for Online.net domains only. Find out how to enable DNSSEC for Domains and DNS domains via the API or the Scaleway console.

Before you start

To complete the actions presented below, you must have:

  • A Dedibox account logged in to the Online console
  • An Online domain name

How to activate and deactivate DNSSEC if your domain and DNS are managed by Scaleway

Although DNSSEC should generally only be configured by experienced users, this simple activation/deactivation is easy to carry out.

  1. Log in to the Online console.
  2. Click Domain. A list of your domains displays.
  3. Click Configure domain name next to the relevant domain.
  4. Click the Activate DNSSEC button to activate DNSSEC, if allowed by your domain extension. If DNSSEC is already activated, the Deactivate DNSSEC button displays, allowing you to deactivate it if you wish.
    Note

    If you deactivate DNSSEC, it is advised to wait 48 hours before activating it again.

How to activate and deactivate DNSSEC if your domain is managed by Scaleway with your own DNS server

  1. Log in to the Online console.
  2. Click Domain. A list of your domains displays.
  3. Click Configure domain name next to the relevant domain.
  4. Click the Manage DNSSEC tab.
  5. Depending on whether you want to activate or deactivate DNSSEC:
  • Activation: A key is generated for you. Complete the rest of the configuration fields, and click Update DNS Records to transfer them to the registrar. In case of error, you can modify this information at a later date.
  • Deactivation: Click Delete DNS Records to request deletion from the registry. You will then need to delete the records from the DNS server yourself.
See also
How to manage DNS zones
Was this page helpful?
API DocsScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCareers
© 2023-2024 – Scaleway