DNSSEC
DNS Security Extensions (DNSSEC) adds an extra layer of authentication to DNS, ensuring requests are not routed to a spoofed domain.
For additional background on DNSSEC, visit the Cloudflare Learning Center.
Disable DNSSEC
If you are onboarding an existing domain to Cloudflare, make sure DNSSEC is disabled at your registrar (where you purchased your domain name). Otherwise, your domain will experience connectivity errors when you change your nameservers.
Provider-specific instructions
This is not an exhaustive list of how to update DS records in other providers, but the following links may be helpful:
- DNSimple
- domaindiscount24
- DreamHost
- dynadot
- enom
- gandi
- GoDaddy
- Google Domains
- hover
- InMotion Hosting
- INWX
- Joker.com
- name.com
- namecheap
- nameISP
- namesilo
- OVH
- Public Domain Registry
- registro.br
- Porkbun (do not fill out keyData).
Why do I have to disable DNSSEC
When your domain has DNSSEC enabled, your DNS provider digitally signs all your DNS records. This action prevents anyone else from issuing false DNS records on your behalf and redirecting traffic intended for your domain.
However, having a single set of signed records also prevents Cloudflare from issuing new DNS records on your behalf (which is part of using Cloudflare for your authoritative nameservers). So if you change your nameservers without disabling DNSSEC, DNSSEC will prevent Cloudflare’s DNS records from resolving properly.
Enable DNSSEC
When you enable DNSSEC, Cloudflare signs your zone, publishes your public signing keys, and generates your DS record.
Step 1 - Activate DNSSEC in Cloudflare
- Log in to the Cloudflare dashboard and select your account and domain.
- Go to DNS > Settings.
- For DNSSEC, click Enable DNSSEC.
- In the dialog, you have access to several necessary values to help you create a DS record at your registrar. Once you close the dialog, you can access this information by clicking DS record on the DNSSEC card.
Step 2 — Add DS record to your registrar
You now need to add a DS record to your registrar. If Algorithm 13 - Cloudflare’s preferred cipher choice - is not listed by your registrar, it may also be called ECDSA Curve P-256 with SHA-256.
Provider-specific instructions
This is not an exhaustive list of how to update DS records in other providers, but the following links may be helpful:
- DNSimple
- domaindiscount24
- DreamHost
- dynadot
- enom
- gandi
- GoDaddy
- Google Domains
- hover
- InMotion Hosting
- INWX
- Joker.com
- name.com
- namecheap
- nameISP
- namesilo
- OVH
- Public Domain Registry
- registro.br
- Porkbun (do not fill out keyData).
Other DNSSEC setup options
If you are using Cloudflare as your Secondary DNS provider and want to configure DNSSEC on your secondary zone(s), you have three options depending on your setup.
If you want to set up DNSSEC on a subdomain zone, refer to Subdomain DNSSEC.
Limitations
If your registrar does not support DNSSEC with Cloudflare’s preferred cipher choice (Algorithm 13), you have several options:
- Contact your registrar to ask for DNSSEC with modern encryption.
- Transfer your domain to a different registrar that supports DNSSEC with Algorithm 13
- File a complaint with ICANN, citing your registrar’s lack of compliance.
If your top-level domain does not support DNSSEC with Algorithm 13 (also known as ECDSA Curve P-256 with SHA-256), contact that top-level domain.