Understanding and Configuring DNSSEC in Cloudflare DNS
DNSSEC adds an authentication layer to an otherwise insecure DNS infrastructure. It guarantees that visitors are direct to your web server when they type your domain into a web browser. Thus avoiding man-in-the-middle attacks and other types of DNS forgeries.
For more in-depth information, see the Learn more about DNSSEC section at the end of this article.
When you enable DNSSEC, Cloudflare:
- Signs your zone
- Publishes your public signing keys
- Generates your DS record
Note that not all registrars and top-level domains (TLD) support DNSSEC. To explore your options, see What if my registrar or TLD doesn’t support DNSSEC?
Enabling DNSSEC for your domain requires enabling DNSSEC in Cloudflare and adding a special record to your DNS configuration at the registar.
Cloudflare supports setting up DNSSEC automatically (via CDS and CDNSKEY record types) without requiring customers to manually upload a DS record for domains registered under these top-level domains:
- .ch
- .cz
Below are the two steps required for adding DNSSEC support to your Cloudflare proxied domain.
Step 1 – Enable DNSSEC in Cloudflare DNS
By enabling DNSSEC first in the Cloudflare dashboard, you’re asking Cloudflare to generate the data necessary for adding a delegation signer (DS) record to your domain at the registrar.
CloudFlare’s chosen cipher suite (Algorithm 13, also known as ECDSA Curve P-256 with SHA-256), is not supported by some registrars. Note that some registrars support a different set of verification algorithms depending on the TLD. If your registrar or TLD registry doesn’t support Algorithm 13, see What if my registrar or TLD doesn’t support DNSSEC?
To obtain the Cloudflare DS record data:
1. Log in to the Cloudflare dashboard.
2. Ensure the website for the DS record you need is select.
3. Click the DNS app.
4. Scroll down to the DNSSEC panel.
5. Click Enable DNSSEC. You will see a dialog informing you that your configuration is pending until the DS record is added at your registrar.
6. Next, click to expand the DS Record dropdown in the DNSSEC panel.
7. Copy the DS record information displayed as you will need it for Step 2 below.
Step 2 – Add a DS record to your registrar
After completing Step 1 above, you should have the Cloudflare-generated DS data handy to complete this step.
To complete your DNSSEC configuration, it is necessary for your domain to have a DS record in your domain DNS configuration at the registrar. Find your registrar below and follow the instructions provided.
Registrar | Instructions |
123 Reg | Contact your registrar’s customer support and provide the DS record data you received from Cloudflare. |
DNSimple | Using CloudFlare DNSSEC with DNSimple |
domaindiscount24 | DNSSEC |
dotster | Contact your registrar’s customer support and provide the DS record data you received from Cloudflare. |
DreamHost | DNSSEC overview In DreamHost, use 2 as the Digest Type instead of SHA256. |
dynadot | How do I set up DNSSEC? |
enom | Adding a DNSSEC to a Domain Name |
gandi | DNSSEC In gandi, make sure you select Algorithm 13 for the Algorithm dropdown. |
GoDaddy | Add a DS record |
godzone | Contact your registrar’s customer support and provide the DS record data you received from Cloudflare. In the godzone web control panel, you might be able to add a DS record under the Domains tab. |
Google Domains | Setting Up DNSSEC security See the instructions for Custom name servers |
hover | Understanding and managing DNSSEC |
internet.bs | Contact your registrar’s customer support and provide the DS record data you received from Cloudflare. You might be able to add a DS record: My Domains > Update DNS List > Manage DNSSEC > Enable DNSSEC |
Joker.com | DNSSEC Support In Joker.com, use 2 as the Digest Type instead of SHA256. |
MarkMonitor | MarkMonitor supports verification Algorithm 13 and automatically implements the Extensive Provisioning Protocol (EPP). To pass DS records to the registry for the following TLDs: .com, .biz, .net, .org, .us, .eu, .fr, .de, .co, .lu, .ch, .be, .li, .co.uk, .wf, .tf, .pm, .yt, .se, .af, .cx, .gs, .hn, .ki, .nf, .sb, .tl, .re To add a DS record, enter the DS data in the DNSSEC Details panel of the MarkMonitor management portal. |
Moniker | Contact your registrar’s customer support and provide the DS record data you received from Cloudflare. You might be able to add a DS record: My Domains >Advanced Settings > DNSSEC > DSData |
name.com | Managing DNSSEC |
namecheap | Managing DNSSEC for domains pointed to Custom DNS |
nameISP | How do I enable DNSSEC for my domain? Enabling DNSSEC in nameISP does not require you to copy and paste the DS record data from your CloudFlare account. |
namesilo | DS Records (DNSSEC) |
OVH | OVH supports DNSSEC with Algorithm 13 through their API. See the documentation. The API call returns a a slightly different DS record. This is because OVH prefers to use SHA-1 over SHA-256. So after you enter in the DS record, OVH will recalculate the DS to use SHA-1. This will not cause any problems with your website. OVH also supports adding the DS record via their DNS Manager. |
Public Domain Registry | Contact your registrar’s customer support and provide the DS record data you received from Cloudflare. This registrar might have limited TLDs. See Adding Delegation Signer (DS) Records. |
register.com | Contact your registrar’s customer support and provide the DS record data you received from Cloudflare. |
registro.br | DNS e DNSSEC Tutoriais (in Portuguese) |
Tsohost | Contact your registrar’s customer support and provide the DS record data you received from Cloudflare. |
What if my registrar or TLD doesn’t support DNSSEC?
To enable DNSSEC, both your registrar and registry (TLD) need to support DNSSEC with Cloudflare’s prefer cipher choice, Algorithm 13.
Although DNSSEC support is require by ICANN and Algorithm 13 . It has been standardize for years. Some registrars and registries do not support these protocols yet.
To try to get your registrar to support DNSSEC, you have three options:
1. Contact your registrar to ask for DNSSEC with modern encryption. Many registrars are waiting to add support until they see higher demand. So by reaching out, you are letting them know that there is a need for DNSSEC with Algorithm 13.
2. You can transfer your domain to a different registrar. Which is supports DNSSEC with Algorithm 13, as list in Step 2 above.
3. Finally, you can file a complaint with ICANN, citing your registrar’s lack of compliance. ICANN requires registrars to support DNSSEC with all available DS algorithm types.
If support is lacking at the TLD level, try option 1 above. You can find the contact information for your TLD registry in the Iana Root Zone Database.
Learn more about DNSSEC
- Cloudflare DNSSEC
- Troubleshooting DNSSEC
- Blog – Announcing Universal DNSSEC: Secure DNS for Every Domain
- Blog – Introduction to DNSSEC
- About Algorithm 13 support – ECDSA: The missing piece of DNSSEC
- List of TLDs with no DNSSEC support