DNSSEC
Protect your domain names against spoofing attacks

Why choose DNSSEC with OVHcloud
DNSSEC secures your online presence by protecting the integrity and authenticity of DNS responses.
Enhanced security against DNS spoofing
Authenticated DNS responses
DNS security enabled by default
DNSSEC: real-time validation of each DNS request
Domain namesNetwork security
When a user searches to access your website, their browser sends a DNS request to a recursive server. Without DNSSEC, this request can be intercepted and falsified, redirecting the user to a fraudulent site.
DNSSEC uses asymmetric cryptography to digitally sign each DNS record. The recursive server verifies this signature using the public key of the zone, thus ensuring that the response corresponds to the initial request. This mechanism protects against
cache spoofing attacks and enhances trust in online exchanges.

DNSSEC: already activated for your domains at OVHcloud
DNS ConfigurationAutomatic
DNSSEC is enabled by default on your domain names at OVHcloud, providing automatic protection against cache spoofing and request spoofing. From the moment of registration, your DNS records are signed with robust cryptographic keys, requiring no action. This system, compliant with DNSSEC standards, operates in the background for optimal security. You can manage this option in your Client area, but we recommend keeping it active to ensure the integrity of your exchanges. A simple and effective solution.

Strengthen the security of your domains with the DNSSEC trust chain
DNSSEC ProtocolData Security
The security of the DNS system relies on a
hierarchical chain of trust. Each signed DNS zone contains a DNSKEY record, which includes the public key used to validate the signatures of the records. The parent domain stores a "">DS (Delegation Signer) record, which contains a hash of the public KSK key of the child zone. When a DNS resolver receives a response, it verifies the RRSIG signature using the DNSKEY key, then traverses the chain up to a trust anchor, usually managed by ICANN for the root. This method ensures data integrity and protects against spoofing attacks.

e-commerce sites, frequent targets of DNS cache spoofing attacks, risk fraudulent redirections that can cause financial losses and harm your brand's reputation. Protect your online transactions with DNSSEC: this protocol cryptographically validates each DNS request, ensuring that your customers always access your legitimate platform. OVHcloud facilitates its deployment through automated zone signing and dedicated technical support for administrators.
Email spoofing attacks often exploit DNS vulnerabilities to redirect your emails to malicious servers. DNSSEC secures your MX records by certifying their authenticity, thus blocking any interception or spoofing of your communications. At OVHcloud, DNSSEC covers all your records, including TXT used for SPF or DKIM. An essential protection for businesses demanding privacy and integrity in communications. DNSSEC is enabled by default in your client area to enhance the security of your email services.
In the face of an increasingly demanding regulatory framework, particularly with GDPR, securing your data becomes imperative for European businesses. DNSSEC strengthens this protection by certifying the authenticity of DNS responses and blocking spoofing attacks. As a European hosting provider, OVHcloud offers solutions aligned with data sovereignty. With DNSSEC, you secure your domain name and meet legal obligations, especially if you manage sensitive data or operate in a regulated sector.
e-commerce sites, frequent targets of DNS cache spoofing attacks, risk fraudulent redirections that can cause financial losses and harm your brand's reputation. Protect your online transactions with DNSSEC: this protocol cryptographically validates each DNS request, ensuring that your customers always access your legitimate platform. OVHcloud facilitates its deployment through automated zone signing and dedicated technical support for administrators.
DNSSEC: Your questions about DNS protection for domain names
What is DNSSEC and how does it protect your domains?
What is DNSSEC and how does it protect your domains?
DNSSEC (Domain Name System Security Extensions) is a protocol designed to secure the domain name system by adding a layer of asymmetric cryptography. It allows for the verification of the authenticity of DNS responses through digital signatures, thus preventing cache spoofing attacks. Each DNS record is signed with a private key, and resolvers validate this signature using the corresponding public key.
What risks does DNSSEC help prevent?
What risks does DNSSEC help prevent?
DNSSEC helps prevent several types of attacks, including DNS cache spoofing, where a hacker injects false information into a DNS server's cache. It also protects against spoofing attacks, where an attacker redirects traffic to a fraudulent site. By validating each DNS response, DNSSEC enhances network security and ensures that users access the resources they request.
How to enable DNSSEC for my domain at OVHcloud?
How to enable DNSSEC for my domain at OVHcloud?
The DNSSEC option is enabled by default on your OVHcloud domain. Find the option in your Customer space and access the Domain Names section. Select the relevant domain, then go to the DNSSEC tab. You will see the option enabled.
Is DNSSEC compatible with all types of DNS records?
Is DNSSEC compatible with all types of DNS records?
Yes, DNSSEC is compatible with most types of DNS records, including A, MX, TXT, CNAME, and NS records. Each record is signed individually, ensuring its authenticity. OVHcloud also supports DNSSEC-specific records, such as RRSIG (for signatures), DNSKEY (for public keys), and DS (for secure delegation).
How to disable DNSSEC if needed?
How to disable DNSSEC if needed?
If you need to disable DNSSEC, go to your OVHcloud Client Area, Domain Names section. Select the relevant domain and access the DNSSEC tab. Click on Disable: OVHcloud will then remove the signatures and keys associated with your zone. This operation may take a few hours to propagate across the internet. Note that disabling DNSSEC exposes your domain to the risks of cache spoofing attacks.