Enable DNSSEC for a subdomain setup
As opposed to the normal process for enabling DNSSEC, DNSSEC with a subdomain setup requires a few additional steps.
Requirements
In order to use DNSSEC for a subdomain setup, DNSSEC must be enabled on the parent zone.
Ideally, you should also wait 12 to 24 hours after enabling DNSSEC on the parent zone to ensure DNS resolvers provide the same DNS query responses.
Setup
-
Create the child subdomain.
-
Make sure the child zone is active on Cloudflare and that DNS resolution is working properly for your child subdomain.
-
Enable DNSSEC for the child subdomain and save the information provided within the
DS
record output. -
In the DNS > Records settings of the parent domain, add the
DS
record from the previous step. -
Add an
A
record to the child subdomain to validate DNS resolution. -
Wait two to six hours. Then, test the
A
record added in the previous step using multiple DNS resolvers with DNSSEC validation (1.1.1.1
,8.8.8.8
, and9.9.9.9
). For example, if theA
record is fortest.child.example.com
:dig test.child.example.com +dnssec @1.1.1.1
.