Defaults.Exposed › Setup › DNSSEC

How to set up DNSSEC on GoDaddy

Switch on DNSSEC in GoDaddy with one toggle so no one can forge your DNS answers and hijack your domain.

Why this matters to your business

When someone visits your website or sends you email, their computer first asks the DNS system for the right address. Those answers normally travel unsigned, so an attacker who can tamper with the lookup can quietly send your visitors to a fake site or reroute your email to their own server — while your real domain still shows in the address bar.

DNSSEC stops that. It cryptographically signs your DNS answers, so anyone looking you up can prove the answer truly came from you and was not altered in transit. In plain terms: it blocks domain hijacking and cache poisoning, the attacks that turn your own domain against your customers. It is free, and on GoDaddy it is usually a single switch.

How DNSSEC works (and why GoDaddy is easy here)

DNSSEC has two halves: the DNS host signs your records and publishes the keys (a DNSKEY) plus a small fingerprint called a DS record, and the registrar lodges that DS record in the parent zone so the rest of the internet can trust the signatures.

When GoDaddy is both your registrar and your DNS host — which it is for most GoDaddy domains using GoDaddy nameservers — GoDaddy does both halves for you. You flip one toggle; GoDaddy generates the keys and lodges the DS record up the chain automatically. No copying values between systems.

The real risk — when it is not so simple

DNSSEC can take your domain offline if it is misconfigured. The danger arises mainly when the registrar and the DNS host are different companies, or when you move DNS hosts:

• If your domain is registered at GoDaddy but your DNS is hosted somewhere else, GoDaddy’s one-click toggle does not apply — you must enable signing at your real DNS host and add the DS record to GoDaddy by hand.
• If you ever move your DNS away from GoDaddy, turn DNSSEC off first. A leftover DS record that no longer matches any active signing host will cause lookups to fail and the domain to go dark.

If GoDaddy is both registrar and DNS host, the one-click flow below is safe.

Confirm GoDaddy runs your DNS

This only matters if GoDaddy is actually answering DNS for your domain. Check that your domain is using GoDaddy nameservers: in your GoDaddy account, open the domain and look at its Nameservers setting. If it shows GoDaddy’s own nameservers, the one-click toggle is the right path. If the nameservers point to another provider (for example a separate DNS host), enable DNSSEC at that provider instead, then add the DS record it gives you into GoDaddy.

Step-by-step on GoDaddy (one-click, GoDaddy is registrar and DNS host)

1. Sign in to your GoDaddy account.
2. Go to My Products (or Domain Portfolio).
3. Find your domain and open its management page — click the domain name or the three-dot menu and choose Manage DNS / Domain Settings.
4. Scroll to the Additional Settings section (on some accounts it appears under DNS Management).
5. Find DNSSEC and click Manage or the toggle.
6. Switch DNSSEC to on.
7. Confirm. GoDaddy generates the keys, signs your zone, and publishes the DS record up the chain for you — there is nothing to copy elsewhere.

Step-by-step when your DNS is hosted elsewhere

If GoDaddy is only your registrar and another company hosts your DNS:

1. Enable DNSSEC at your DNS host first and copy the DS record it produces (you will need Key Tag, Algorithm, Digest Type, and the Digest).
2. In GoDaddy, open the domain and find the DNSSEC section under Additional Settings.
3. Choose to add a DS record and enter the values from your DNS host exactly.
4. Save. The DS record is now lodged in the parent zone, completing the chain.

GoDaddy quirks people get wrong

• Check who hosts your DNS first. The simple one-click toggle only does the whole job when GoDaddy is both registrar and DNS host. If DNS lives elsewhere, the toggle alone is not enough.
• Do not turn it on at two places. If your DNS host already signs the zone, you only add its DS record at GoDaddy — you do not also flip GoDaddy’s own signing toggle, or you will have two competing setups.
• Copy DS values exactly when entering them by hand. A single wrong character in the Digest breaks the chain and can take the domain offline.
• Turn DNSSEC off before moving DNS. Migrating to a new DNS host with a stale DS record still in place is the classic way to knock a domain offline.
• Give it time. Changes can take from minutes up to a day to fully propagate.

Verify it worked

Once DNSSEC is switched on (and any DS record is in place), run the free check on this site. It will tell you in plain language whether DNSSEC is correctly published and trusted for your domain.

Done? Check your domain free to confirm it worked — and see your full grade across all 34 checks.