Understanding and Configuring DNSSEC in Cloudflare DNS

DNSSEC adds an authentication layer to an otherwise insecure DNS infrastructure. It guarantees that visitors are directed to your web server when they type your domain into a web browser, thus avoiding man-in-the-middle attacks and other types of DNS forgeries.


For more in-depth information, see the Learn more about DNSSEC section at the end of this article.


When you enable DNSSEC, Cloudflare:

  • Signs your zone
  • Publishes your public signing keys
  • Generates your DS record


Note that not all registrars and top-level domains (TLD) support DNSSEC. 


Enabling DNSSEC for your domain requires enabling DNSSEC in Cloudflare and adding a special record to your DNS configuration at the registar.


Cloudflare supports setting up DNSSEC automatically (via CDS and CDNSKEY record types) without requiring customers to manually upload a DS record for domains registered under these top-level domains:

  • .ch
  • .cz


Below are the two steps required for adding DNSSEC support to your Cloudflare proxied domain.


Step 1 - Enable DNSSEC in Cloudflare DNS

By enabling DNSSEC first in the Cloudflare dashboard, you’re asking Cloudflare to generate the data necessary for adding a delegation signer (DS) record to your domain at the registrar.


CloudFlare's chosen cipher suite (Algorithm 13, also known as ECDSA Curve P-256 with SHA-256), is not supported by some registrars. Note that some registrars support a different set of verification algorithms depending on the TLD. 


To obtain the Cloudflare DS record data:


1. Log in to the Cloudflare dashboard.

2. Ensure the website for the DS record you need is selected.

3. Click the DNS app.

4. Scroll down to the DNSSEC panel.

5. Click Enable DNSSEC. You will see a dialog informing you that your configuration is pending until the DS record is added at your registrar.

6. Next, click to expand the DS Record dropdown in the DNSSEC panel.

7. Copy the DS record information displayed as you will need it for Step 2 below.


Step 2 - Add a DS record to your registrar

After completing Step 1 above, you should have the Cloudflare-generated DS data handy to complete this step.


To complete your DNSSEC configuration, it is necessary for your domain to have a DS record in your domain DNS configuration at the registrar. Find your registrar below and follow the instructions provided.


Registrar

Instructions

123 Reg

Contact your registrar's customer support and provide the DS record data you received from Cloudflare.

DNSimple

Using CloudFlare DNSSEC with DNSimple

domaindiscount24

DNSSEC

dotster

Contact your registrar's customer support and provide the DS record data you received from Cloudflare.

DreamHost

DNSSEC overview

In DreamHost, use 2 as the Digest Type instead of SHA256.

dynadot

How do I set up DNSSEC?

enom

Adding a DNSSEC to a Domain Name

gandi

DNSSEC

In gandi, make sure you select Algorithm 13 for the Algorithm dropdown.

GoDaddy

Add a DS record

godzone

Contact your registrar's customer support and provide the DS record data you received from Cloudflare.

In the godzone web control panel, you might be able to add a DS record under the Domains tab.

Google Domains

Setting Up DNSSEC security

See the instructions for Custom name servers

hover

Understanding and managing DNSSEC

internet.bs

Contact your registrar's customer support and provide the DS record data you received from Cloudflare.

You might be able to add a DS record:

  • My Domains > Update DNS List > Manage DNSSEC > Enable DNSSEC

Joker.com

DNSSEC Support

In Joker.com, use 2 as the Digest Type instead of SHA256.

MarkMonitor

MarkMonitor supports verification Algorithm 13 and automatically implements the Extensive Provisioning Protocol (EPP) to pass DS records to the registry for the following TLDs:

.com, .biz, .net, .org, .us, .eu, .fr, .de, .co, .lu, .ch, .be, .li, .co.uk, .wf, .tf, .pm, .yt, .se, .af, .cx, .gs, .hn, .ki, .nf, .sb, .tl, .re

To add a DS record, enter the DS data in the DNSSEC Details panel of the MarkMonitor management portal.

Moniker

Contact your registrar's customer support and provide the DS record data you received from Cloudflare.

You might be able to add a DS record:

  • My Domains >Advanced Settings > DNSSEC > DSData

name.com

Managing DNSSEC

namecheap

Managing DNSSEC for domains pointed to Custom DNS

nameISP

How do I enable DNSSEC for my domain?

Enabling DNSSEC in nameISP does not require you to copy and paste the DS record data from your CloudFlare account.

namesilo

DS Records (DNSSEC)

OVH

OVH supports DNSSEC with Algorithm 13 through their API. See the documentation.

The API call returns a a slightly different DS record. This is because OVH prefers to use SHA-1 over SHA-256, so after you enter in the DS record, OVH will recalculate the DS to use SHA-1. This will not cause any problems with your website.

OVH also supports adding the DS record via their DNS Manager.

Public Domain Registry

Contact your registrar's customer support and provide the DS record data you received from Cloudflare.

This registrar might have limited TLDs.

See Adding Delegation Signer (DS) Records.

register.com

Contact your registrar's customer support and provide the DS record data you received from Cloudflare.

registro.br

DNS e DNSSEC Tutoriais (in Portuguese)

Tsohost

Contact your registrar's customer support and provide the DS record data you received from Cloudflare.


What if my registrar or TLD doesn't support DNSSEC?

To enable DNSSEC, both your registrar and registry (TLD) need to support DNSSEC with Cloudflare's preferred cipher choice, Algorithm 13.


Although DNSSEC support is required by ICANN and Algorithm 13 has been standardized for years, some registrars and registries do not support these protocols yet.


To try to get your registrar to support DNSSEC, you have three options:


1. Contact your registrar to ask for DNSSEC with modern encryption. Many registrars are waiting to add support until they see higher demand, so by reaching out, you are letting them know that there is a need for DNSSEC with Algorithm 13.


2. You can transfer your domain to a different registrar that supports DNSSEC with Algorithm 13, as listed in Step 2 above.


3. Finally, you can file a complaint with ICANN, citing your registrar's lack of compliance. ICANN requiresregistrars to support DNSSEC with all available DS algorithm types.

If support is lacking at the TLD level, try option 1 above. You can find the contact information for your TLD registry in the Iana Root Zone Database.


Learn more about DNSSEC


Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.