Disabling DNSSEC on a Zone

Disable DNS security extensions (DNSSEC) on a public zone.

To avoid service disruptions, follow these steps in the order presented to disable DNSSEC.

  1. Remove DS records for the zone from all child zone delegation subdomains. See Changing DNS Zone Records for information about updating OCI zone records.
  2. Remove the DS record from the parent zone.
  3. Wait until the TTL (time to live) for the removed parent zone DS record expires.
  4. Either delete the zone or disable DNSSEC on the zone.
    1. Open the navigation menu and click Networking. Under DNS management, click Zones.
    2. Click the zone name in the list to open its Details page.
    3. In Zone information, under DNSSEC, click Edit.
    4. Click the DNSSEC switch to Disabled.
    5. Click Save changes.
  • Use the zone update command and required parameters to update the zone. To disable DNSSEC, specify the dnssec-state as DISABLED.:

    oci dns zone update --zone-name-or-id zone_name or zone_OCID --dnssec-state DISABLED ... [OPTIONS]

    For a complete list of flags and variable options for CLI commands, see the CLI Command Reference.

  • Run the UpdateZone operation to update the zone. To disable DNSSEC, specify the dnssecState as DISABLED.