← Browse All Guides

Enabling DNSSEC on Cloudflare

Step-by-step instructions to enable DNSSEC for domains hosted on Cloudflare

Prerequisites

  • A domain added to Cloudflare
  • Cloudflare nameservers configured at your registrar
  • Access to your domain registrar's control panel

Step 1: Enable DNSSEC in Cloudflare

  1. Log in to your Cloudflare dashboard
  2. Select your domain from the domain list
  3. Navigate to DNS in the left sidebar
  4. Scroll down to the DNSSEC section
  5. Click Enable DNSSEC or Manage DNSSEC
  6. Cloudflare will automatically generate DNSKEY records

Step 2: Copy DS Records

After enabling DNSSEC, Cloudflare will display your DS records. You'll see something like:

example.com. IN DS 12345 13 2 ABC123DEF4567890ABCDEF1234567890ABCDEF1234567890ABCDEF

Important: Copy all DS records shown. Cloudflare may provide multiple DS records if you have multiple keys.

Step 3: Add DS Records to Your Registrar

The DS records must be added to your domain registrar (where you purchased the domain), not Cloudflare:

  1. Log in to your domain registrar's control panel
  2. Navigate to DNS or DNSSEC settings for your domain
  3. Find the DS Records or DNSSEC section
  4. Add each DS record provided by Cloudflare
  5. Save the changes

Note: Some registrars have different interfaces. Look for "DNSSEC", "DS Records", or "Delegation Signer" in your DNS settings. If you can't find it, contact your registrar's support.

Step 4: Verify DNSSEC is Active

After adding DS records, wait 15-30 minutes for propagation, then verify:

  1. Use our DNSSEC checker to verify your domain
  2. Check Cloudflare dashboard - DNSSEC status should show "Active"
  3. Use dig DS example.com to verify DS records are published

Cloudflare DNSSEC Features

  • Automatic Key Management: Cloudflare handles key generation and rotation
  • NSEC3: Cloudflare uses NSEC3 by default for better security
  • Algorithm 13: Uses ECDSAP256SHA256 (modern, efficient algorithm)
  • Automatic Re-signing: Records are automatically re-signed before expiration

Troubleshooting

DNSSEC Not Active

Ensure DS records are correctly added at your registrar. Check for typos in the DS record values.

Validation Failures

Wait for full propagation (up to 48 hours). Use our chain of trust verifier to check each link.

Can't Find DS Records in Registrar

Some registrars don't support DNSSEC. You may need to transfer your domain to a registrar that supports it, or use Cloudflare Registrar which fully supports DNSSEC.

Next Steps

Once DNSSEC is enabled: