Securing your domain name with DNSSEC

Wissensdatenbanken

KB0039554

Securing your domain name with DNSSEC


Icons/System/eye-open Created with Sketch. 791 Ansichten 04.03.2025 Web / DNS-Zone

Objective

A DNS server hosts one or more DNS zones. A DNS zone contains the DNS configuration of a domain name. This configuration links your domain name to the various services associated with it (hosting server for your website, servers for your custom email addresses with your domain name, etc.).

In some cases, data streams that pass through DNS servers can be intercepted by hackers.
To achieve this, they manipulate the DNS server cache to apply their own DNS configuration to your domain name. This is called cache poisoning. This way, they can redirect incoming traffic for your domain name to their websites and email addresses.

The Domain Name System SECecurity Extensions (DNSSEC) protect your domain name’s DNS configuration against cache poisoning by verifying and authenticating DNS responses.

This guide explains how to enable DNSSEC for your domain name to protect it against cache poisoning.

The DNSSEC option is currently unavailable for domain names registered with OVHcloud that have the extension .it.

For more information on how DNSSEC works, please visit our page “Understanding DNSSEC”.

You can also refer to our guides on OVHcloud DNS servers and on editing an OVHcloud DNS zone if you would like more information on these topics.

Requirements

  • A domain name with an extension compatible with DNSSEC

OVHcloud Control Panel Access

  • Direct link: Domain names
  • Navigation path: Web Cloud > Domain names > Select your domain name

Instructions

To check if your domain name uses the OVHcloud DNS configuration, click on the tabs below to view each of the 2 steps.

These 3 steps are only valid if your domain name is registered with OVHcloud. Otherwise, you will need to check with your domain name registrar.

If the DNS server names end with ovh.net (with the exception of the snds2.ovh.net server), ovh.ca or anycast.me, your domain name will use OVHcloud DNS servers.

  • Step 1
  • Step 2

Click this link, then choose the domain name concerned.

Domain Names

Select the DNS servers tab once you have clicked on the domain concerned.

If the DNS server names end with ovh.net (with the exception of the snds2.ovh.net server), ovh.ca or anycast.me, your domain name will use OVHcloud DNS servers.

The activation/deactivation of DNSSEC takes 24 hours to be effective.

If you would like to change the DNS servers associated with your domain name at a later stage, the DNS servers will only be modified on the OVHcloud side after the DNSSEC has been disabled. After this, an additional period of 24 to 48 hours will be required for the DNS propagation of the modification.

In total, the modification of a domain name’s DNS servers with the DNSSEC active solution will be fully effective after 48 at 72 hours.

You can enable DNSSEC in three scenarios detailed below.

Case 1 - Your domain name is registered with OVHcloud and uses OVHcloud DNS servers

To enable (or disable) the DNSSEC solution for your domain name, click on the tabs below to view each of the 3 steps.

  • Step 1
  • Step 2
  • Step 3

Click this link, then choose the domain name concerned.

Domain Names

The page that appears will display general information about your domain name. You can check the activation status of the DNSSEC on it.

In the Security box, check the status next to Secured Delegation - DNSSEC.

Secured Delegation DNSSEC

With the activation button above Secured Delegation - DNSSEC, you can activate or deactivate DNSSEC on your domain name. When you do this, a new window will appear, where you can confirm the change.

Enable DNSSEC

Case 2 - Your domain name is registered with OVHcloud and does not use OVHcloud DNS servers

Once you have retrieved these 4 parameters, click on the tabs below to view each of the 4 steps.

  • Step 1
  • Step 2
  • Step 3
  • Step 4

Click this link, then choose the domain name concerned.

Domain Names

On the page that appears, click on the DS records tab. This tab will only appear if your domain name uses external DNS servers.

In the new page that appears, click the Edit button on the right, then the + button.

Fill in the 4 forms Key Tag, Flag, Algorithm and Public key (encoded in base64) with the data communicated by your current provider.

DS records

Once you have filled in the 4 forms, click on the blue Confirm button to the right of the table.

Case 3 - Your domain name is not registered with OVHcloud and uses OVHcloud DNS servers

Before you proceed, please check with your domain name’s current registrar to make sure that there are no DNSSEC options already enabled for it.

Unlike case 2, you will need to retrieve the DNSSEC activation settings ("Key Tag" / "Flag" / "Algorithm" / "Public key (encoded in base64)") from the OVHcloud side.

To do this, you will need to use the OVHcloud APIs and perform the following actions:

  • Go to our website OVHcloud API (check that you are on https://eu.api.ovh.com if your services are hosted in Europe, and on https://ca.api.ovh.com if they are hosted outside Europe).
  • On the page that pops up, middle-click Explore the OVHcloud API.
  • On the new page that appears, and on the left-hand side of the page, use the dropdown menu to the right of the form v1, then select/enter the choice /domain.
  • From the list of APIs that appears below in the left-hand column, locate and click on the following node: POST /domain/zone/{zoneName}/dnssec. You can also click on this link to access it:

POST /domain/zone/{zoneName}/dnssec

  • On the right-hand side of the page, you will then see the various forms to fill in.
  • Click the button in the top right-hand corner labeled Authenticate, then the Login with OVHcloud SSO button.
  • The interface for connecting to your OVHcloud Control Panel will open.
  • Log in to your account, then click Authorize to use the OVHcloud API with the services in your Control Panel.
  • You will then be automatically redirected to the previous page of the POST /domain/zone/{zoneName}/dnssec API, where you will now be authenticated.
  • On the right-hand side of the page, you will then see the form to fill in.
  • Fill in the form in the PATH PARAMETERS section as follows:
  • zoneName: Enter the domain name concerned (e.g. domain.tld).

API

Once you have filled in the form, click on the blue EXECUTE button in the bottom right-hand corner of the previously filled-in section.

After a few minutes, you will receive an email from OVHcloud to the contact email address of your OVHcloud DNS zone.
This email will contain the 4 parameters ("Key Tag" / "Flag" / "Algorithm" / "Public key (encoded in base64)") required to activate DNSSEC with your domain name registrar.

Check your spam folder if you have not received the email within an hour.

Finally, contact your domain name registrar with the 4 settings to enable the DNSSEC option for them.

Go further

General information on OVHcloud DNS servers

Edit an OVHcloud DNS zone

First Steps with the OVHcloud APIs

For specialised services (SEO, development, etc.), contact OVHcloud partners.

If you would like assistance using and configuring your OVHcloud solutions, please refer to our support offers.

Join our community of users.

Zugehörige Artikel