Defaults.Exposed › Setup › DNSSEC

How to set up DNSSEC on Cloudflare

Turn on DNSSEC in Cloudflare and add the DS record at your registrar so no one can forge your DNS answers.

Why this matters to your business

When someone types your domain or sends you email, their computer asks the DNS system for the right address. Normally those answers travel unsigned, which means an attacker who can tamper with them can quietly point your visitors at a fake website or reroute your email to their own server. Your customers see your real domain in the address bar the whole time.

DNSSEC closes that gap. It cryptographically signs your DNS answers, so the person looking you up can prove the answer genuinely came from you and was not altered on the way. In plain terms: it stops criminals from hijacking your domain or poisoning the lookups that point people to you. It is free, and it is one of the strongest protections you can switch on for the foundation everything else sits on.

How DNSSEC actually works (so the steps make sense)

DNSSEC has two halves that live in two places:

• Your DNS host (Cloudflare) signs your records and publishes the public keys (a DNSKEY) plus a small fingerprint of them called a DS record.
• Your registrar (where you bought and renew the domain) publishes that DS record up into the parent zone (for example .com).

The DS record at the registrar is the link in the chain of trust. Cloudflare can sign all day, but until the matching DS record is lodged at your registrar, the wider internet has no signed way to trust those signatures. So the job is two steps: turn it on in Cloudflare, then hand the DS record to your registrar.

The real risk — do this carefully

DNSSEC can take your whole domain offline if it is done wrong. The two ways that happens:

• Publishing a DS record at the registrar that does not match what your DNS host is actually signing with.
• Moving your DNS to a different host (or turning Cloudflare off) without first removing the DS record at the registrar — the old DS record keeps demanding signatures that no longer exist, and lookups start failing.

Neither is dangerous if you follow the flow below in order and never delete the DS record at the registrar while Cloudflare is still your signing host. If you ever plan to move away from Cloudflare, disable DNSSEC and remove the DS record at the registrar first, then move.

Confirm Cloudflare runs your DNS

This only works if Cloudflare is answering DNS for your domain. Cloudflare is your DNS host, not necessarily the company you bought the domain from. Cloudflare’s DNS is only live when your domain’s nameservers point to the Cloudflare nameservers shown in your dashboard. Open your domain in Cloudflare and check the Overview page to confirm Cloudflare is active. If your nameservers point elsewhere, enable DNSSEC at whichever provider runs your DNS instead.

Step-by-step on Cloudflare

1. Sign in to Cloudflare and select your domain.
2. In the left-hand menu, go to DNS, then Settings (older dashboards show a DNSSEC section directly under DNS).
3. Find DNSSEC and click Enable DNSSEC.
4. Cloudflare will display a panel of values — the important one is the DS record. You will typically see fields such as Key Tag, Algorithm, Digest Type, Digest, and a ready-made single-line DS record. Leave this panel open; you need to copy these to your registrar.
5. Now sign in to your registrar (the company you renew the domain with — this may or may not be Cloudflare).
6. Find the DNSSEC or DS record section for your domain at the registrar and add a new DS record using the exact values Cloudflare gave you:
   • Key Tag — the number Cloudflare shows.
   • Algorithm — usually 13 (ECDSA P-256 SHA-256).
   • Digest Type — usually 2 (SHA-256).
   • Digest — the long hexadecimal string, copied exactly.
7. Save at the registrar. If your registrar lets you paste a single combined DS record line instead of separate fields, use the full DS line Cloudflare displayed.
8. Back in Cloudflare, once the registrar has accepted the DS record, Cloudflare’s DNSSEC status will move to active (this can take a little while to confirm).

Cloudflare quirks people get wrong

• Two systems, not one. Enabling DNSSEC in Cloudflare alone does nothing on its own — the DS record must also be lodged at your registrar. People stop after step 3 and wonder why it never goes active.
• Copy the digest exactly. A single wrong or missing character in the Digest means the registrar’s DS record will not match Cloudflare’s signatures, which is exactly the misconfiguration that takes a domain offline. Copy and paste; never retype it.
• Match the algorithm and digest-type numbers. If your registrar asks for these separately, use the values Cloudflare shows — do not guess.
• If Cloudflare is also your registrar, the DS step is handled internally and you may not see a separate registrar form — but confirm DNSSEC shows as active before assuming it is done.
• Never remove the DS record while Cloudflare is still signing. And if you ever migrate DNS away from Cloudflare, disable DNSSEC and clear the DS record at the registrar before the move.
• Give it time. DNSSEC changes can take from a few minutes up to a day to fully propagate and show as active.

Verify it worked

Once DNSSEC shows as active in Cloudflare and the DS record is in place at your registrar, run the free check on this site. It will tell you in plain language whether DNSSEC is correctly published and trusted for your domain.

Done? Check your domain free to confirm it worked — and see your full grade across all 34 checks.