春江暮客

春江暮客的个人学习分享网站

Enable DNSSEC for Aliyun Domain to Prevent DNS Hijacking

2019-08-13 Miscellaneous
Enable DNSSEC for Aliyun Domain to Prevent DNS Hijacking

While using Cloudflare daily, I found the free DNSSEC under DNS was not enabled. How can that be? Let’s first see what DNSSEC is.
Domain Name System Security Extensions (DNSSEC) add reliable digital signatures to domain name DNS to verify the source domain and help prevent attacks such as cache poisoning, domain spoofing, and interception. So of course, this should be enabled for the domain bobobk.com.

Enabling DNSSEC mainly involves two parts:
The first part is enabling DNSSEC on Cloudflare to obtain the DS record information that needs to be set.
The second part is adding the DS record information provided by Cloudflare to the domain registrar.

Step 1: Enable DNSSEC on Cloudflare

Open the DNS settings, find DNSSEC, and enable it.
enable_dnssec

Step 2: Add DS Record in Domain Registrar

Since the domain was purchased on Aliyun, add the record there. If using other registrars, refer to Cloudflare support for detailed instructions.

First, log into the Aliyun console, find your domain, and go to management.
domain_manage

Add the DS record. The following settings appear:
ds_record_ali.webp

The first items map directly to the values shown by Cloudflare:

  • “Key Tag” corresponds to Cloudflare’s “Key Tag”
  • “Algorithm” corresponds to Cloudflare’s “Algorithm”
  • “Digest Type” corresponds to Cloudflare’s “Digest Type”
  • “Digest” corresponds to Cloudflare’s “Digest”

In practice, the safest approach is to copy the Key Tag, Algorithm, Digest Type, and Digest values exactly as Cloudflare shows them when you create the DS record at the registrar. Do not try to reformat or guess any of those fields.

After setup, the change usually propagates within a few minutes to a few tens of minutes.
You can check whether DNSSEC is enabled using https://dnssec-analyzer.verisignlabs.com, or verify it locally from the command line:

dig +dnssec bobobk.com
dig DS bobobk.com

dnssec_check

Checking this site’s DNSSEC status, you can see it has been successfully enabled.

The important part of DNSSEC setup is not complexity, but consistency: the DS record values shown by Cloudflare must match what you enter at the registrar exactly. After that, a quick dig check or online validator is usually enough to confirm the setup.

相关文章

最新文章

分类

标签

1024 adsense agents.md ai ai-agent ai-seo algorithm amp automation background bioinformatics bootstrapping boxes c-index cca cdn cli cloudflare codex copy cpu monitoring cuda datascience datavisualization deployment devtools disown docker dovecot download economics fable faceswap fastmcp ffmpeg flask folium frontend game generator git github-actions google grep hls hugo indexnow javascript json k-means kaggle leecode linux list litellm llm llms.txt logs lollipop m3u8 manacher matplotlib mcp mirror mp3 mp4 multiomics mutation mysql networkx nginx normalize password pep-723 phaser pillow pip postfix preprocessing print probability proxy pyecharts pyqt python python3 r raincloud requests rg ripgrep roundcube s-tui sampling scale scrapy screen seaborn security seo sklearn solana somaticsignatures spl standardize static-site tensorflow trade tron tronpy turtle usdt uv vite wallet webp wordcloud wordpress workflow yaml 迅雷解析

友情链接

其它