Oracle Cloud Infrastructure Documentation

Enabling DNSSEC on a Zone

Enable DNS security extensions (DNSSEC) on a public zone.

Note

You can't enable DNSSEC on a private zone, or on a zone with downstream servers configured.
    1. Open the navigation menu and click Networking. Under DNS management, click Zones.
    2. Click the zone name in the list to open its Details page.
    3. In Zone information, under DNSSEC, click Edit.
    4. Click the DNSSEC switch to Enabled.
    5. Click Save changes.
      Important

      Wait for the work request to complete successfully before proceeding.
    6. For DNSSEC to work correctly, you need to add the key signing key (KSK) information to the parent zone DS record. The parent zone can be an OCI zone, or a zone in another provider:
      1. In the zone, under Resources, click DNSSEC.
      2. In the Promote KSK infoblock, choose the data type:
        • Structured: Digest fields are copied separately. Choose this option if the parent zone DNS provider requires separate input for each field in the DS record.
        • Unstructured: Digest fields are copied into a single string. Choose this option if the parent zone DNS provider allows presentation format input for the DS record.
      3. Click Copy to copy the digest information and the recommended TTL (time to live) information.
      4. Paste the DS record digest information into a DS record for the zone. If the zone is an OCI zone, see Adding a Record to a DNS Zone for instructions. Here is an example of a DS record containing KSK digest information: 
        20873 8 2 E2CEF72555BAF4978418FDB718F97F6421189B0862C456A5F75C25185EE61446
      5. Click Promote new key-signing key.

  • Use the zone create command and required parameters to create a public primary zone. To enable DNSSEC, set the dnssec-state option to enabled:

    oci dns zone create --compartment-id compartment_id --name "zone_name" --zone-type PRIMARY --scope GLOBAL
--dnssec-state ENABLED... [OPTIONS]

    For a complete list of flags and variable options for CLI commands, see the CLI Command Reference.

    The system creates and publishes the zone, complete with the necessary SOA and NS records. The details for the zone appear. For information on adding a record to your zone, see Adding a Record to a DNS Zone.

  • Run the CreateZone operation to create a public primary zone. Specify the zone type as PRIMARY and zone scope as GLOBAL. To enable DNSSEC, specify the dnssecState as ENABLED.

    The system creates and publishes the zone, complete with the necessary SOA and NS records. The details for the zone appear. For information on adding a record to your zone, see Adding a Record to a DNS Zone.