{"id":1696,"date":"2020-06-08T01:06:23","date_gmt":"2020-06-07T17:06:23","guid":{"rendered":"https:\/\/www.wesbytes.com\/guide\/?post_type=kb&#038;p=1696"},"modified":"2026-03-26T12:38:21","modified_gmt":"2026-03-26T04:38:21","slug":"understanding-and-configuring-dnssec","status":"publish","type":"kb","link":"https:\/\/www.servergigabit.com\/guide\/kb\/understanding-and-configuring-dnssec","title":{"rendered":"DNSSEC: 7 Essential Steps to Secure Your Domain in Cloudflare"},"content":{"rendered":"<h3><img fetchpriority=\"high\" decoding=\"async\" class=\"aligncenter\" src=\"https:\/\/blog.apnic.net\/wp-content\/uploads\/2019\/03\/DNSSEC_up_banner-555x202.png?v=63e48127bfc7e96cfbb2d41d1dc0767ca0f509fb09d2be559e8371d1387b5b96\" alt=\"configuring DNSSEC in cloudflare\" width=\"555\" height=\"202\" \/><\/h3>\n<h3><strong>Understanding and Configuring DNSSEC in Cloudflare DNS<\/strong><\/h3>\n<p>DNSSEC adds an authentication layer to an otherwise insecure DNS infrastructure. It guarantees that visitors are direct to your web server when they type your domain into a web browser. Thus avoiding man-in-the-middle attacks and other types of DNS forgeries.<\/p>\n<p>For more in-depth information, see the\u00a0Learn more about DNSSEC\u00a0section at the end of this article.<\/p>\n<p>When you enable DNSSEC, <a href=\"https:\/\/www.cloudflare.com\/\" rel=\"nofollow noopener\" target=\"_blank\">Cloudflare<\/a>:<\/p>\n<ul>\n<li>Signs your zone<\/li>\n<li>Publishes your public signing keys<\/li>\n<li>Generates your DS record<\/li>\n<\/ul>\n<p>Note that not all registrars and top-level domains (TLD) support DNSSEC. To explore your options, see\u00a0What if my registrar or TLD doesn\u2019t support DNSSEC?<\/p>\n<p>Enabling DNSSEC for your domain requires enabling DNSSEC in Cloudflare and adding a special record to your DNS configuration at the registar.<\/p>\n<p>Cloudflare supports setting up DNSSEC automatically (via CDS and CDNSKEY record types) without requiring customers to manually upload a DS record for domains registered under these top-level domains:<\/p>\n<ul>\n<li>.ch<\/li>\n<li>.cz<\/li>\n<\/ul>\n<p>Below are the two steps required for adding DNSSEC support to your Cloudflare proxied domain.<\/p>\n<hr \/>\n<div class=\"mkb-anchor mkb-clearfix mkb-back-to-top-inline\">\n<h2 class=\"mkb-anchor__title\">Step 1 \u2013 Enable DNSSEC in Cloudflare DNS<\/h2>\n<\/div>\n<p>By enabling DNSSEC first in the Cloudflare dashboard, you\u2019re asking Cloudflare to generate the data necessary for adding a delegation signer (DS) record to your domain at the registrar.<\/p>\n<p>CloudFlare\u2019s chosen cipher suite (Algorithm 13, also known as\u00a0ECDSA Curve P-256 with SHA-256), is not supported by some registrars. Note that some registrars support a different set of verification algorithms depending on the TLD. If your registrar or TLD registry doesn\u2019t support Algorithm 13, see\u00a0What if my registrar or TLD doesn\u2019t support DNSSEC?<\/p>\n<p>To obtain the Cloudflare DS record data:<\/p>\n<p>1. Log in to the Cloudflare dashboard.<\/p>\n<p>2. Ensure the website for the DS record you need is select.<\/p>\n<p>3. Click the\u00a0<strong>DNS<\/strong>\u00a0app.<\/p>\n<p>4. Scroll down to the\u00a0<strong>DNSSEC<\/strong>\u00a0panel.<\/p>\n<p>5. Click\u00a0<strong>Enable DNSSEC.\u00a0<\/strong>You will see a dialog informing you that your configuration is pending until the DS record is added at your registrar.<\/p>\n<p>6. Next, click to expand the\u00a0<strong>DS Record<\/strong>\u00a0dropdown in the\u00a0<strong>DNSSEC<\/strong>\u00a0panel.<\/p>\n<p>7. Copy the DS record information displayed as you will need it for Step 2 below.<\/p>\n<hr \/>\n<div class=\"mkb-anchor mkb-clearfix mkb-back-to-top-inline\">\n<h2 class=\"mkb-anchor__title\">Step 2 \u2013 Add a DS record to your registrar<\/h2>\n<\/div>\n<p>After completing Step 1 above, you should have the Cloudflare-generated DS data handy to complete this step.<\/p>\n<p>To complete your DNSSEC configuration, it is necessary for your domain to have a DS record in your domain DNS configuration at the registrar. Find your registrar below and follow the instructions provided.<\/p>\n<table>\n<thead>\n<tr>\n<td width=\"25%\"><strong>Registrar<\/strong><\/td>\n<td><strong>Instructions<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>123 Reg<\/strong><\/td>\n<td>Contact your registrar\u2019s customer support and provide the DS record data you received from Cloudflare.<\/td>\n<\/tr>\n<tr>\n<td><strong>DNSimple<\/strong><\/td>\n<td>Using CloudFlare DNSSEC with DNSimple<\/td>\n<\/tr>\n<tr>\n<td><strong>domaindiscount24<\/strong><\/td>\n<td>DNSSEC<\/td>\n<\/tr>\n<tr>\n<td><strong>dotster<\/strong><\/td>\n<td>Contact your registrar\u2019s customer support and provide the DS record data you received from Cloudflare.<\/td>\n<\/tr>\n<tr>\n<td><strong>DreamHost<\/strong><\/td>\n<td>DNSSEC overviewIn DreamHost, use\u00a0<em>2<\/em>\u00a0as the Digest Type instead of\u00a0<em>SHA256<\/em>.<\/td>\n<\/tr>\n<tr>\n<td><strong>dynadot<\/strong><\/td>\n<td>How do I set up DNSSEC?<\/td>\n<\/tr>\n<tr>\n<td><strong>enom<\/strong><\/td>\n<td>Adding a DNSSEC to a Domain Name<\/td>\n<\/tr>\n<tr>\n<td><strong>gandi<\/strong><\/td>\n<td>DNSSECIn gandi, make sure you select Algorithm 13 for the Algorithm dropdown.<\/td>\n<\/tr>\n<tr>\n<td><strong>GoDaddy<\/strong><\/td>\n<td>Add a DS record<\/td>\n<\/tr>\n<tr>\n<td><strong>godzone<\/strong><\/td>\n<td>Contact your registrar\u2019s customer support and provide the DS record data you received from Cloudflare.In the godzone web control panel, you might be able to add a DS record under the\u00a0<strong>Domains<\/strong>\u00a0tab.<\/td>\n<\/tr>\n<tr>\n<td><strong>Google Domains<\/strong><\/td>\n<td>Setting Up DNSSEC securitySee the instructions for Custom name servers<\/td>\n<\/tr>\n<tr>\n<td><strong>hover<\/strong><\/td>\n<td>Understanding and managing DNSSEC<\/td>\n<\/tr>\n<tr>\n<td><strong>internet.bs<\/strong><\/td>\n<td>Contact your registrar\u2019s customer support and provide the DS record data you received from Cloudflare.You might be able to add a DS record:<\/p>\n<p>My Domains &gt; Update DNS List &gt; Manage DNSSEC &gt; Enable DNSSEC<\/td>\n<\/tr>\n<tr>\n<td><strong>Joker.com<\/strong><\/td>\n<td>DNSSEC SupportIn Joker.com, use\u00a0<em>2<\/em>\u00a0as the Digest Type instead of\u00a0<em>SHA256<\/em>.<\/td>\n<\/tr>\n<tr>\n<td><strong>MarkMonitor<\/strong><\/td>\n<td>MarkMonitor supports verification Algorithm 13 and automatically implements the Extensive Provisioning Protocol (EPP). To pass DS records to the registry for the following TLDs:.com, .biz, .net, .org, .us, .eu, .fr, .de, .co, .lu, .ch, .be, .li, .co.uk, .wf, .tf, .pm, .yt, .se, .af, .cx, .gs, .hn, .ki, .nf, .sb, .tl, .re<\/p>\n<p>To add a DS record, enter the DS data in the\u00a0<strong>DNSSEC Details<\/strong>\u00a0panel of the MarkMonitor management portal.<\/td>\n<\/tr>\n<tr>\n<td><strong>Moniker<\/strong><\/td>\n<td>Contact your registrar\u2019s customer support and provide the DS record data you received from Cloudflare.You might be able to add a DS record:<\/p>\n<p>My Domains &gt;Advanced Settings &gt; DNSSEC &gt; DSData<\/td>\n<\/tr>\n<tr>\n<td><strong>name.com<\/strong><\/td>\n<td>Managing DNSSEC<\/td>\n<\/tr>\n<tr>\n<td><strong>namecheap<\/strong><\/td>\n<td>Managing DNSSEC for domains pointed to Custom DNS<\/td>\n<\/tr>\n<tr>\n<td><strong>nameISP<\/strong><\/td>\n<td>How do I enable DNSSEC for my domain?Enabling DNSSEC in nameISP does not require you to copy and paste the DS record data from your CloudFlare account.<\/td>\n<\/tr>\n<tr>\n<td><strong>namesilo<\/strong><\/td>\n<td>DS Records (DNSSEC)<\/td>\n<\/tr>\n<tr>\n<td><strong>OVH<\/strong><\/td>\n<td>OVH supports DNSSEC with Algorithm 13 through their API. See\u00a0the documentation.The API call returns a a slightly different DS record. This is because OVH prefers to use SHA-1 over SHA-256. So after you enter in the DS record, OVH will recalculate the DS to use SHA-1. This will not cause any problems with your website.<\/p>\n<p>OVH also supports adding the DS record via their DNS Manager.<\/td>\n<\/tr>\n<tr>\n<td><strong>Public Domain Registry<\/strong><\/td>\n<td>Contact your registrar\u2019s customer support and provide the DS record data you received from Cloudflare.This registrar might have limited TLDs.<\/p>\n<p>See\u00a0Adding Delegation Signer (DS) Records.<\/td>\n<\/tr>\n<tr>\n<td><strong>register.com<\/strong><\/td>\n<td>Contact your registrar\u2019s customer support and provide the DS record data you received from Cloudflare.<\/td>\n<\/tr>\n<tr>\n<td><strong>registro.br<\/strong><\/td>\n<td>DNS e DNSSEC Tutoriais\u00a0(in Portuguese)<\/td>\n<\/tr>\n<tr>\n<td><strong>Tsohost<\/strong><\/td>\n<td>Contact your registrar\u2019s customer support and provide the DS record data you received from Cloudflare.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<div class=\"mkb-anchor mkb-clearfix mkb-back-to-top-inline\">\n<h2 class=\"mkb-anchor__title\">What if my registrar or TLD doesn\u2019t support DNSSEC?<\/h2>\n<\/div>\n<p>To enable DNSSEC, both your registrar and registry (TLD) need to support DNSSEC with Cloudflare\u2019s prefer cipher choice, Algorithm 13.<\/p>\n<p>Although DNSSEC support is require by ICANN and Algorithm 13 . It has been standardize for years. Some registrars and registries do not support these protocols yet.<\/p>\n<p>To try to get your registrar to support DNSSEC, you have three options:<\/p>\n<p>1. Contact your registrar to ask for DNSSEC with modern encryption. Many registrars are waiting to add support until they see higher demand. So by reaching out, you are letting them know that there is a need for DNSSEC with Algorithm 13.<\/p>\n<p>2. You can transfer your domain to a different registrar. Which is supports DNSSEC with Algorithm 13, as list in Step 2 above.<\/p>\n<p>3. Finally, you can file a complaint with ICANN, citing your registrar\u2019s lack of compliance. ICANN requires registrars to support DNSSEC with all available DS algorithm types.<\/p>\n<p>If support is\u00a0lacking at the TLD level, try option 1 above. You can find the contact information for your TLD registry in the\u00a0Iana Root Zone Database.<\/p>\n<hr \/>\n<div class=\"mkb-anchor mkb-clearfix mkb-back-to-top-inline\">\n<h2 class=\"mkb-anchor__title\"><a href=\"https:\/\/www.servergigabit.com\/guide\/\">Learn more<\/a> about DNSSEC<\/h2>\n<p>&nbsp;<\/p>\n<\/div>\n<ul>\n<li>Cloudflare DNSSEC<\/li>\n<li>Troubleshooting DNSSEC<\/li>\n<li>Blog \u2013\u00a0Announcing Universal DNSSEC: Secure DNS for Every Domain<\/li>\n<li>Blog \u2013\u00a0Introduction to DNSSEC<\/li>\n<li>About Algorithm 13 support \u2013\u00a0ECDSA: The missing piece of DNSSEC<\/li>\n<li>List of TLDs with no DNSSEC support<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Understanding and Configuring DNSSEC in Cloudflare DNS DNSSEC adds an authentication layer to an otherwise insecure DNS infrastructure. It guarantees that visitors are direct to your web server when they type your domain into a web browser. Thus avoiding man-in-the-middle attacks and other types of DNS forgeries. For more in-depth information, see the\u00a0Learn more about DNSSEC\u00a0section at the end of&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"kbtopic":[43],"kbtag":[1390],"class_list":["post-1696","kb","type-kb","status-publish","hentry","kbtopic-cloudflare","kbtag-dnssec"],"_links":{"self":[{"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kb\/1696","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kb"}],"about":[{"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/types\/kb"}],"author":[{"embeddable":true,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/comments?post=1696"}],"version-history":[{"count":5,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kb\/1696\/revisions"}],"predecessor-version":[{"id":6405,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kb\/1696\/revisions\/6405"}],"wp:attachment":[{"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/media?parent=1696"}],"wp:term":[{"taxonomy":"kbtopic","embeddable":true,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kbtopic?post=1696"},{"taxonomy":"kbtag","embeddable":true,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kbtag?post=1696"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}