DNSSEC
DNSSEC adds cryptographic signatures to your DNS zones so resolvers can verify that answers have not been tampered with. Thalassa Cloud signs zones using a regional KMS asymmetric key and publishes signed zone files to authoritative nameservers.
DNSSEC requires both the
dnsandkmsfeature gates on your organisation.
How it works
You enable DNSSEC on a zone
│
▼
Platform creates or links a KMS signing key (default: ECDSA P-256)
│
▼
You add DS record(s) at the parent zone / registrar (from DNSSEC status)
│
▼
Platform verifies DS is visible at the parent delegation point
│
├─ DS not yet visible → zone published UNSIGNED (DNS keeps working)
│
└─ DS verified → zone signed and published with DNSSEC records
│
▼
Authoritative nameservers serve signed answers (~25–40 seconds)Signed zones use NSEC3 for authenticated denial of existence (no extra configuration required).
Enabling DNSSEC
On the zone detail page, open DNSSEC and enable signing:
- Choose a cloud region where KMS is available.
- Optionally select an existing KMS signing key, or leave blank to auto-provision a new
ecdsa-p256key namedDNSSEC {zone}. - Save — the platform begins signing and publishing the zone.
Supported signing key types
| Key type | Algorithm |
|---|---|
ecdsa-p256 (recommended default) | ECDSAP256SHA256 |
ecdsa-p384 | ECDSAP384SHA384 |
rsa-2048, rsa-3072, rsa-4096 | RSASHA256 |
The key must be active and in the same region and project scope as the zone.
See KMS key types and KMS integrations for key selection guidance.
DS delegation at the parent
DNSSEC only protects resolvers once the parent zone holds a matching DS record pointing at your zone’s signing key.
After enabling DNSSEC, copy the DS records from the zone’s DNSSEC status:
| Field | Use |
|---|---|
record | Full BIND-style value for registrar DS entry, e.g. 12345 13 2 a1b2c3… |
digestTypeName | SHA-256 or SHA-384 digest variant |
Where to add the DS record:
- Apex domain (
example.com) — at your domain registrar’s DNSSEC / DS settings. - Subdomain zone (
sub.example.com) — as a DS record namedsubin the parent zoneexample.com.
Until the DS record propagates, the platform continues serving the zone unsigned and periodically re-checks the parent. Status fields dsDelegated and nextDsProbeAt show progress.
Do not add DS records as tenant DNS records inside the child zone. DS belongs in the parent delegation point.
Some registrars accept a full DNSKEY entry instead of a DS digest. Use keyTag, algorithm, keyRole, and publicKey from the DNSSEC status for those forms — not the DS digest value.
Status fields
| Field | Meaning |
|---|---|
enabled | Whether DNSSEC signing is configured |
dsDelegated | Parent DS probe succeeded — signed publishing is active |
dsRecords | DS values to add at the parent |
lastSignedAt | Last successful signed publish |
lastSignError | Reason the zone is unsigned or signing failed |
nextDsProbeAt | Next scheduled parent DS check when waiting for delegation |
Disabling DNSSEC
Disable DNSSEC from the zone DNSSEC panel. The platform:
- Stops signing the zone
- Publishes an unsigned zone file
- Does not delete the KMS signing key (manage or delete it separately under KMS if needed)
Any record change on a signed zone triggers automatic re-signing and publish (new RRSIGs, SOA serial bumped).
Access control
DNSSEC uses the same permissions as zone management:
| Action | Permission |
|---|---|
| View DNSSEC status | dns_zone → read |
| Enable, update, or disable DNSSEC | dns_zone → update |
See DNS access control for built-in policies and binding details.
Related documentation
- DNS zones — Zone and record management
- DNS overview — Service summary
- KMS integrations — Auto-provisioned signing keys and retention
- Sign, verify, and HMAC — KMS signing operations