Defaults.Exposed › Setup › DNSSEC

How to set up DNSSEC on Namecheap

Enable DNSSEC in Namecheap so no one can forge your DNS answers and redirect your visitors or email.

Why this matters to your business

Every time someone opens your website or emails you, their computer asks the DNS system where to find you. Those answers usually travel unsigned, so an attacker who can interfere with the lookup can silently send your visitors to a counterfeit site or reroute your email to their own server — all while your genuine domain still appears in the address bar.

DNSSEC shuts that door. It cryptographically signs your DNS answers, so anyone looking you up can confirm the answer really came from you and was not tampered with along the way. In plain terms: it prevents domain hijacking and cache poisoning, the attacks that weaponise your own domain against your customers. It is free, and when Namecheap runs your DNS it is close to one click.

How DNSSEC works (and why Namecheap can be simple)

DNSSEC has two halves: the DNS host signs your records and publishes the keys (a DNSKEY) plus a small fingerprint called a DS record, and the registrar lodges that DS record in the parent zone so the rest of the internet trusts the signatures.

When Namecheap is both your registrar and your DNS host — that is, your domain uses Namecheap BasicDNS / PremiumDNS — Namecheap handles both halves with a single toggle. It signs the zone and publishes the DS record up the chain for you. When your DNS is hosted somewhere else, you instead copy the DS record from that host into Namecheap by hand.

The real risk — do this in order

DNSSEC can take your domain offline if it is set up wrongly. The two ways that happens:

• A DS record lodged at the registrar that does not match what the DNS host is actually signing with.
• Moving your DNS to a different host (or switching off signing) without first removing the DS record — the stale DS record keeps demanding signatures that no longer exist, and lookups fail.

So: if you ever move DNS away from Namecheap, or off Namecheap’s nameservers, disable DNSSEC and clear the DS record first, then move. Follow the flow below in order and you are safe.

Confirm Namecheap runs your DNS

Check what is answering DNS for your domain. In your Namecheap account, open the domain and look at the Nameservers setting on the Domain tab:

• If it is set to Namecheap BasicDNS or Namecheap Web Hosting DNS / PremiumDNS, Namecheap hosts your DNS — use the one-click flow.
• If it shows Custom DNS pointing at another provider, that provider hosts your DNS — enable DNSSEC there first, then add the DS record it gives you into Namecheap.

Step-by-step on Namecheap (Namecheap is registrar and DNS host)

1. Sign in to Namecheap.
2. Go to Domain List and click Manage next to your domain.
3. Open the Advanced DNS tab.
4. Scroll to the DNSSEC section.
5. Switch DNSSEC to on.
6. Confirm. With Namecheap’s own DNS, Namecheap signs the zone and publishes the DS record up the chain for you — there is nothing to copy elsewhere.

Step-by-step when your DNS is hosted elsewhere

If Namecheap is your registrar but another company hosts your DNS:

1. Enable DNSSEC at your DNS host first and copy the DS record values it produces — typically Key Tag, Algorithm, Digest Type, and the Digest.
2. In Namecheap, open the domain and go to the Advanced DNS tab, then the DNSSEC section.
3. Add a DS record and enter the values from your DNS host exactly into the matching fields.
4. Save. The DS record is now lodged in the parent zone, completing the chain of trust.

Namecheap quirks people get wrong

• The toggle only does everything when Namecheap also hosts your DNS. On Custom DNS, flipping it alone is not enough — you must paste the DS record from your real DNS host.
• Do not double-sign. If your external DNS host already signs the zone, you only enter its DS record at Namecheap — you do not also enable Namecheap’s own signing.
• Copy DS values character-for-character. A single wrong digit in the Digest means the DS will not match the signatures, which is exactly what takes a domain offline. Paste, never retype.
• Match algorithm and digest-type numbers to whatever your DNS host reports — do not guess.
• Disable DNSSEC before changing nameservers. Switching DNS hosts with a stale DS record still in place is the classic way to knock a domain offline.
• Give it time. Changes can take from minutes up to a day to fully propagate.

Verify it worked

Once DNSSEC is switched on (and any DS record is in place), run the free check on this site. It will tell you in plain language whether DNSSEC is correctly published and trusted for your domain.

Done? Check your domain free to confirm it worked — and see your full grade across all 34 checks.