Set up DNSSEC
DNS Security Extensions (DNSSEC) adds an extra layer of authentication to DNS, ensuring requests are not routed to a spoofed domain.
Enable DNSSEC
When you enable DNSSEC, Cloudflare signs your zone, publishes your public signing keys, and generates your DS record.
Step 1 — Activate DNSSEC in Cloudflare
- Log in to the Cloudflare dashboard and select your account and domain.
- Go to DNS.
- For DNSSEC, click Enable DNSSEC.
- In the dialog, you have access to several necessary values to help you create a DS record at your registrar. Once you close the dialog, you can access this information by clicking DS record on the DNSSEC card.
Step 2 — Add DS record to your registrar
You now need to add a DS record to your registrar.
Provider-specific instructions
This is not an exhaustive list, but the following links may be helpful:
Troubleshooting
For more help with DNSSEC, refer to Troubleshooting DNSSEC.
Limitations
If your registrar does not support DNSSEC with Cloudflare’s preferred cipher choice (Algorithm 13), you have several options:
- Contact your registrar to ask for DNSSEC with modern encryption.
- Transfer your domain to a different registrar that supports DNSSEC with Algorithm 13
- File a complaint with ICANN, citing your registrar’s lack of compliance.
If your top-level domain does not support DNSSEC with Algorithm 13, contact that top-level domain.