Enable DNSSEC on Cloudflare

Enable DNSSEC for your domain on Cloudflare with automatic key management.

Cloudflare makes DNSSEC easy with one-click activation and automatic key management. This guide walks you through enabling DNSSEC and configuring your registrar.

Time required: 10 minutes (plus propagation time)
Prerequisites: Domain on Cloudflare DNS, registrar access

Why Enable DNSSEC?

DNSSEC adds cryptographic signatures to your DNS records, preventing attackers from:

  • Redirecting your email to malicious servers
  • Spoofing your MX records
  • Tampering with DMARC, SPF, or DKIM records
  • Performing DNS cache poisoning attacks

Required for DANE

DNSSEC is a prerequisite for DANE. If you want to use DANE for additional TLS security, you must enable DNSSEC first.

Step 1: Enable DNSSEC in Cloudflare

  1. Log into the Cloudflare Dashboard
  2. Select your domain
  3. Navigate to DNS → Settings
  4. Find the DNSSEC section
  5. Click Enable DNSSEC

Cloudflare will generate the necessary keys and display a DS record that you need to add at your registrar.

Step 2: Copy DS Record Details

After enabling DNSSEC, Cloudflare displays the DS record information:

Key Tag:       12345
Algorithm:     13 (ECDSAP256SHA256)
Digest Type:   2 (SHA-256)
Digest:        E8C6A7B3F5D2A1B4C8D9E0F1A2B3C4D5E6F7...

Copy these values—you'll need them for your registrar.

Step 3: Add DS Record at Your Registrar

The process varies by registrar. Here are instructions for common ones:

Cloudflare Registrar

If your domain is registered with Cloudflare, DS records are added automatically. You're done!

GoDaddy

  1. Go to My Products → DNS
  2. Select your domain
  3. Scroll to DNSSEC
  4. Click Add
  5. Enter the Key Tag, Algorithm, Digest Type, and Digest from Cloudflare
  6. Click Save

Namecheap

  1. Go to Domain List → Manage
  2. Select the Advanced DNS tab
  3. Scroll to DNSSEC
  4. Click Add new DS Record
  5. Fill in the values from Cloudflare
  6. Click Save All Changes

Google Domains / Squarespace

  1. Go to DNS settings
  2. Click DNSSEC
  3. Click Custom name servers tab
  4. Add the DS record with values from Cloudflare
  5. Save

AWS Route 53

If your domain is registered with Route 53:

  1. Go to Route 53 → Registered Domains
  2. Select your domain
  3. Click Manage Keys under DNSSEC
  4. Click Add Key
  5. Paste the full DS record from Cloudflare
  6. Save

Step 4: Wait for Propagation

DNSSEC propagation typically takes 24-48 hours. During this time:

  • Cloudflare will show "Pending" status
  • DNS resolution will continue to work normally
  • Once propagated, status will change to "Active"

Step 5: Verify DNSSEC is Working

Use online tools to verify your DNSSEC configuration:

# Using dig
dig yourdomain.com +dnssec +short

# Should show RRSIG records alongside regular records

Online verification tools:

Don't Disable DNSSEC Hastily

Once enabled, disabling DNSSEC can cause DNS resolution failures during propagation. Only disable if absolutely necessary, and allow 48 hours for changes to propagate.

Troubleshooting

Status stuck on "Pending"

Verify the DS record was added correctly at your registrar. Double-check Key Tag, Algorithm, and Digest values match exactly.

DNSSEC validation failures

Ensure you're using Cloudflare's nameservers and the DS record matches what Cloudflare provided.

Registrar doesn't support DNSSEC

Consider transferring your domain to a registrar that supports DNSSEC, or using Cloudflare Registrar.

Checklist

DNSSEC enabled in Cloudflare dashboard
DS record added at registrar
Status shows "Active" in Cloudflare
Verified with online DNSSEC checker

Next Steps