Oracle Cloud Infrastructure Documentation

Disabling DNSSEC on a Zone

Disable DNS security extensions (DNSSEC) on a public zone.

To avoid service disruptions, follow these steps in the order presented to disable DNSSEC.

  1. Remove DS records for the zone from all child zone delegation subdomains. See Changing DNS Zone Records for information about updating OCI zone records.
  2. Remove the DS record from the parent zone.
  3. Wait until the TTL (time to live) for the removed parent zone DS record expires.
  4. Either delete the zone or disable DNSSEC on the zone.
    1. On the Public zones or Private zones list page, select the zone you want to work with. If you need help finding the list page, see Listing DNS Zones.
    2. In Zone information, under DNSSEC, select Edit.
    3. Select the DNSSEC switch to Disabled.
    4. Select Save changes.

  • Use the zone update command and required parameters to update the zone. To disable DNSSEC, specify the dnssec-state as DISABLED.:

    oci dns zone update --zone-name-or-id zone_name or zone_OCID --dnssec-state DISABLED ... [OPTIONS]

    For a complete list of flags and variable options for CLI commands, see the CLI Command Reference.

  • Run the UpdateZone operation to update the zone. To disable DNSSEC, specify the dnssecState as DISABLED.