DNSSEC

Protect your domain names against spoofing attacks
DNSSEC

Why choose DNSSEC with OVHcloud

DNSSEC secures your online presence by protecting the integrity and authenticity of DNS responses.
Padlock Secured.svg
Enhanced security against DNS spoofing
Bandwidth.svg
Authenticated DNS responses
Accuracy.svg
DNS security enabled by default

DNSSEC: real-time validation of each DNS query

Domain namesNetwork security
When a user searches to access your website, their browser sends a DNS query to a recursive server. Without DNSSEC, this query can be intercepted and falsified, redirecting the user to a fraudulent site. DNSSEC uses asymmetric cryptography to digitally sign each DNS record. The recursive server verifies this signature using the public key of the zone, thus ensuring that the response corresponds to the initial request. This mechanism protects against cache spoofing attacks and enhances trust in internet exchanges.
Integration.png

DNSSEC: already activated for your domains at OVHcloud

DNS ConfigurationAutomatic
DNSSEC is enabled by default on your domain names at OVHcloud, providing automatic protection against cache spoofing and request spoofing. From the moment of registration, your DNS records are signed with robust cryptographic keys, with no action required. This system, compliant with DNSSEC standards, operates in the background for optimal security. You can manage this option in your Client area, but we advise keeping it active to ensure the integrity of your exchanges. A simple and effective solution.
Hosting - MultiSite - B.png

Enhance the security of your domains with the DNSSEC trust chain

DNSSEC ProtocolData Security
The security of the DNS system relies on a hierarchical chain of trust. Each signed DNS zone contains a DNSKEY record, which includes the public key used to validate the signatures of the records. The parent domain stores a "">DS (Delegation Signer) record, which contains a hash of the public KSK key of the child zone. When a DNS resolver receives a response, it verifies the RRSIG signature using the DNSKEY key, then traverses the chain up to a trust anchor, usually managed by ICANN for the root. This method ensures data integrity and protects against spoofing attacks.
Domain C.png
e-commerce sites, frequent targets of DNS cache spoofing attacks, risk fraudulent redirections that can cause financial losses and harm your brand's reputation. Protect your online transactions with DNSSEC: this protocol cryptographically validates each DNS request, ensuring that your customers always access your legitimate platform. OVHcloud facilitates its deployment through automated zone signing and dedicated technical support for administrators. 

Email service spoofing attacks often exploit DNS vulnerabilities to redirect your emails to malicious servers. DNSSEC secures your MX records by certifying their authenticity, thus blocking any interception or spoofing of your communications. At OVHcloud, DNSSEC covers all your records, including TXT used for SPF or DKIM. An essential protection for businesses demanding privacy and integrity in communications. DNSSEC is enabled by default in your client area to enhance the security of your email services.

In the face of an increasingly demanding regulatory framework, particularly with GDPR, securing your data becomes imperative for European businesses. DNSSEC strengthens this protection by certifying the authenticity of DNS responses and blocking spoofing attacks. As a European hosting provider, OVHcloud offers solutions aligned with data sovereignty. With DNSSEC, you secure your domain name and meet legal obligations, especially if you manage sensitive data or operate in a regulated sector.
e-commerce sites, frequent targets of DNS cache spoofing attacks, risk fraudulent redirections that can cause financial losses and harm your brand's reputation. Protect your online transactions with DNSSEC: this protocol cryptographically validates each DNS request, ensuring that your customers always access your legitimate platform. OVHcloud facilitates its deployment through automated zone signing and dedicated technical support for administrators. 

.eu domain name

A$11.29

ex. GST/year

A$12.42 incl. GST/year

.com domain name

A$14.16

ex. GST/year

A$15.58 incl. GST/year

.dev domain name

A$19.60

ex. GST/year

A$21.56 incl. GST/year

DNSSEC: Your questions about DNS protection for domain names

What is DNSSEC and how does it protect your domains?

DNSSEC (Domain Name System Security Extensions) is a protocol designed to secure the domain name system by adding a layer of asymmetric cryptography. It allows for the verification of the authenticity of DNS responses through digital signatures, thus preventing cache spoofing attacks. Each DNS record is signed with a private key, and resolvers validate this signature using the corresponding public key.

What risks does DNSSEC help to prevent?

DNSSEC helps to prevent several types of attacks, including DNS cache spoofing, where a hacker injects false information into a DNS server's cache. It also protects against spoofing attacks, where an attacker redirects traffic to a fraudulent site. By validating each DNS response, DNSSEC enhances network security and ensures that users access the resources they request.

How do I enable DNSSEC for my domain at OVHcloud?

The DNSSEC option is enabled by default on your OVHcloud domain. Find the option in your Customer space and access the Domain Names section. Select the relevant domain, then go to the DNSSEC tab. You will see the option enabled.

Is DNSSEC compatible with all types of DNS records?

Yes, DNSSEC is compatible with most types of DNS records, including A, MX, TXT, CNAME, and NS records. Each record is signed individually, ensuring its authenticity. OVHcloud also supports DNSSEC-specific records, such as RRSIG (for signatures), DNSKEY (for public keys), and DS (for secure delegation).

How to disable DNSSEC if necessary?

If you need to disable DNSSEC, go to your OVHcloud client area, domain names section. Select the relevant domain and access the DNSSEC tab. Click on Disable: OVHcloud will then remove the signatures and keys associated with your zone. This operation may take a few hours to propagate across the internet. Please note that disabling DNSSEC exposes your domain to the risks of cache spoofing attacks.