Share on facebook
Share on twitter

Setting Up DNSSEC on Google Cloud DNS

Enabling DNSSEC on your Google Cloud DNS is child’s play, click one button and Google Cloud DNS will automatically create all necessary DNSKEYs for you. But it could get little complicated if you don’t know how to add DS record on your domain registrar website. That is why, In this blog I will help you to configure DNSSEC in a Step-by-step manner. 

First let’s explain some stuffs. 

What is DNSSEC?

We all know that DNS is a protocol which resolves domain names to IP addresses, but how do we know the authenticity of the returned IP address? It is possible for an attacker to  easily masquerade as the authoritative server that a resolver originally queried by spoofing a response that appears to come from that authoritative server. In other words an attacker can redirect a user to a potentially malicious site without the user realizing it.

To combat this type of attacks Domain Name System Security Extensions  (DNSSEC) was introduced in 2005. DNSSEC digital signatures  all the DNS data (A, CNAME, MX, etc) of using public key cryptography. Now if your user use a DNSSEC enabled DNS resolvers, it can verify the authenticity of a DNS reply using the public DNSKEY record. If you want to learn more about DNSSEC here are some Articles, which could help you in this regard.

  1. DNSSEC – What Is It and Why Is It Important? – by ican.org
  2. How DNSSEC Works – by Cloudflare

How DNSSEC works on Cloud DNS?

When we’ll enable DNSSEC on Cloud DNS, it will automatically create  public keys (DNSKEY) and Private Keys. Next We have to add the public key to your domain registrar website. Your domain registrar will add your public key to Top-level-domain TDL server. Your Top-Level-Domain TDL DNS server also have Private keys and Public Keys and it’s the public key already added to Root nameserver.

Now, when a resolver sends a DNS query to root server, root server replay with  TDL nameservers DNS zone data and public keys. After that resolver again send a DNS query to TDL nameserver, the TDL name server replay with a public key  and Cloud DNS zone data. Then the resolver, validate the data of TDL nameserver using public key (receive from root nameserver). Next the resolver send a query to Cloud DNS, – replay with Your domain(s) zone records. Again resolver validate that data using public key – receive from TDL nameserver.  The actual mechanism is more complicated–but the effect is the same.

 

How much it cost to enable DNSSEC on Cloud DNS?

There is no additional charges or changes  for enabling DNSSEC on Cloud DNS. But you have to pay  for Cloud DNS which is  $0.20 per domain (zone) and $0.40 per million queries per month.

Prerequisites

  1. Already have a top-level-domain name.
  2. The domain registrar have DNSSEC support.
  3. You have migrated your DNS to Google Cloud DNS. Here is some article which will help you in this regard,

DNSSEC Resource Records

Just like DNS resource records (A, AAAA, CNAME, MX …), DNSSEC also requires several RR(s).

  1. Delegation signer (DS): The record used to identify the DNSSEC signing key of a delegated zone
  2. DNS Key record (DNSKEY): The key record used in DNSSEC. Uses the same format as the KEY record.
  3. DNSSEC signature (RRSIG): Signature for a DNSSEC-secured record set. Uses the same format as the SIG record.

Step 1: Enabling DNSSEC on Cloud DNS domains

Click on the hamburger menu in the upper left-hand corner of your Google Cloud Platform dashboard. After that navigate to NETWORKING >> NETWORK SERVICES >> CLOUD DNS.

As you can see, On the above image, We already set up our domain on Cloud DNS. To enable DENSEC,just click the DNSSEC setting for the zone and select “On” in the pop-up menu.

In the confirmation dialog that appears, just click the Enable button.

Step 2: Opening domain(s) DS records

In the previous step you have enabled DNSSEC on Cloud DNS. Now, we’ll transfer the DS record to your domain registrar website. To do we need to open the Registrar Setup section.

Click on your Zone name.

Next, in your right-hand corner click the “Registrar Setup” button.

  1. Key Tag:   57710
  2. Algorithm: rsasha256(8)
  3. Digest Type: sha256 (2)
  4. Digest: 9691BF6F8285D6D7973B2B6B5AC851DB8EA745451CD7BF268BAEE31989B5708F
  5. DS:    Key-Tag   Algorithm    Digest-Type   Digest

As you can see that DS record is a combination of all those four records.

Step 3: Configuring DS records with your registrar

In this step we are going to add Those DS records on your domain registrar website. 

As you know there are hundreds of domain registrar and all of them might have DNSSEC management page in different locations, It is not viable for me to show you the steps for all those different registrar. To help you as much as I can, I will be showing you how to configure DS record with GoDaddy and Namecheap.

 

Example no 1: GoDaddy

Log in to your GoDaddy account, then navigate to Home >> Manage My  Products >> DNS. Now scroll down to “Advanced Features” just below the Nameservers section, and click on the DNSSEC button.

Now, One by one paste Key-Tag, Algorithm, Digest-type, Digest which you copied from Cloud DNS(s) registrar setup section.

Example no 2: Namecheap

Log in to your Namecheap account. After that, navigate to “Domain List” >> Advanced DNS. There on DNSSEC section toggle the button to enable DNSSEC.

Now, One by one paste Key-Tag, Algorithm, Digest-type, Digest which you copied from Cloud DNS(s) registrar setup section. 

Step 4: Verifying DNSSEC deployment

Once you have added/updated those DS records, it can take time up to 24 hours for the changes to be effective across the internet.

You can use DNSVizZonalizer, the Verisign DNSSEC debugger, or Zonemaster to verify correct deployment of your DNSSEC-enabled zone.

Here what looks like in the Verisign DNSSEC debugger when you  have successfully deployed DNSSEC.

Here what looks like in  DNSViz  when you have successfully deployed DNSSEC on your domain.

Now it is your time!

I tried my best to provide you a complete tutorial on  How to transfer your domain to Google Cloud DNS. I hope you liked it.

If you need help just drop a comment.

If you benefited from this tutorial, and would like to support my work, please like my Facebook page.

Thanks,

Leave a Comment

Your email address will not be published. Required fields are marked *