Set up DNSSEC

DNS Security Extensions (DNSSEC) adds an extra layer of authentication to DNS, ensuring requests are not routed to a spoofed domain.

Enable DNSSEC

When you enable DNSSEC, Cloudflare signs your zone, publishes your public signing keys, and generates your DS record.

Log in to the Cloudflare dashboard and select your account and domain.
Go to DNS.
For DNSSEC, click Enable DNSSEC.
In the dialog, you have access to several necessary values to help you create a DS record at your registrar. Once you close the dialog, you can access this information by clicking DS record on the DNSSEC card.

You now need to add a DS record to your registrar.

Provider-specific instructions

This is not an exhaustive list, but the following links may be helpful:

Note:

Cloudflare automatically adds DS records for domains using Cloudflare Registrar or those using .ch and .cz top-level domains.

For more help with DNSSEC, refer to Troubleshooting DNSSEC.

If your registrar does not support DNSSEC with Cloudflare’s preferred cipher choice (Algorithm 13), you have several options:

Contact your registrar to ask for DNSSEC with modern encryption.
Transfer your domain to a different registrar that supports DNSSEC with Algorithm 13
File a complaint with ICANN, citing your registrar’s lack of compliance.

If your top-level domain does not support DNSSEC with Algorithm 13, contact that top-level domain.