Understanding and Configuring DNSSEC in Cloudflare DNS

Last modified: June 9, 2020
You are here:
Estimated reading time: 4 min

Understanding and Configuring DNSSEC in Cloudflare DNS

DNSSEC adds an authentication layer to an otherwise insecure DNS infrastructure. It guarantees that visitors are direct to your web server when they type your domain into a web browser. Thus avoiding man-in-the-middle attacks and other types of DNS forgeries.

For more in-depth information, see the Learn more about DNSSEC section at the end of this article.

When you enable DNSSEC, Cloudflare:

  • Signs your zone
  • Publishes your public signing keys
  • Generates your DS record

Note that not all registrars and top-level domains (TLD) support DNSSEC. To explore your options, see What if my registrar or TLD doesn’t support DNSSEC?

Enabling DNSSEC for your domain requires enabling DNSSEC in Cloudflare and adding a special record to your DNS configuration at the registar.

Cloudflare supports setting up DNSSEC automatically (via CDS and CDNSKEY record types) without requiring customers to manually upload a DS record for domains registered under these top-level domains:

  • .ch
  • .cz

Below are the two steps required for adding DNSSEC support to your Cloudflare proxied domain.


Step 1 – Enable DNSSEC in Cloudflare DNS

By enabling DNSSEC first in the Cloudflare dashboard, you’re asking Cloudflare to generate the data necessary for adding a delegation signer (DS) record to your domain at the registrar.

CloudFlare’s chosen cipher suite (Algorithm 13, also known as ECDSA Curve P-256 with SHA-256), is not supported by some registrars. Note that some registrars support a different set of verification algorithms depending on the TLD. If your registrar or TLD registry doesn’t support Algorithm 13, see What if my registrar or TLD doesn’t support DNSSEC?

To obtain the Cloudflare DS record data:

1. Log in to the Cloudflare dashboard.

2. Ensure the website for the DS record you need is select.

3. Click the DNS app.

4. Scroll down to the DNSSEC panel.

5. Click Enable DNSSEC. You will see a dialog informing you that your configuration is pending until the DS record is added at your registrar.

6. Next, click to expand the DS Record dropdown in the DNSSEC panel.

7. Copy the DS record information displayed as you will need it for Step 2 below.


Step 2 – Add a DS record to your registrar

After completing Step 1 above, you should have the Cloudflare-generated DS data handy to complete this step.

To complete your DNSSEC configuration, it is necessary for your domain to have a DS record in your domain DNS configuration at the registrar. Find your registrar below and follow the instructions provided.

RegistrarInstructions
123 RegContact your registrar’s customer support and provide the DS record data you received from Cloudflare.
DNSimpleUsing CloudFlare DNSSEC with DNSimple
domaindiscount24DNSSEC
dotsterContact your registrar’s customer support and provide the DS record data you received from Cloudflare.
DreamHostDNSSEC overview

In DreamHost, use 2 as the Digest Type instead of SHA256.

dynadotHow do I set up DNSSEC?
enomAdding a DNSSEC to a Domain Name
gandiDNSSEC

In gandi, make sure you select Algorithm 13 for the Algorithm dropdown.

GoDaddyAdd a DS record
godzoneContact your registrar’s customer support and provide the DS record data you received from Cloudflare.

In the godzone web control panel, you might be able to add a DS record under the Domains tab.

Google DomainsSetting Up DNSSEC security

See the instructions for Custom name servers

hoverUnderstanding and managing DNSSEC
internet.bsContact your registrar’s customer support and provide the DS record data you received from Cloudflare.

You might be able to add a DS record:

My Domains > Update DNS List > Manage DNSSEC > Enable DNSSEC

Joker.comDNSSEC Support

In Joker.com, use 2 as the Digest Type instead of SHA256.

MarkMonitorMarkMonitor supports verification Algorithm 13 and automatically implements the Extensive Provisioning Protocol (EPP). To pass DS records to the registry for the following TLDs:

.com, .biz, .net, .org, .us, .eu, .fr, .de, .co, .lu, .ch, .be, .li, .co.uk, .wf, .tf, .pm, .yt, .se, .af, .cx, .gs, .hn, .ki, .nf, .sb, .tl, .re

To add a DS record, enter the DS data in the DNSSEC Details panel of the MarkMonitor management portal.

MonikerContact your registrar’s customer support and provide the DS record data you received from Cloudflare.

You might be able to add a DS record:

My Domains >Advanced Settings > DNSSEC > DSData

name.comManaging DNSSEC
namecheapManaging DNSSEC for domains pointed to Custom DNS
nameISPHow do I enable DNSSEC for my domain?

Enabling DNSSEC in nameISP does not require you to copy and paste the DS record data from your CloudFlare account.

namesiloDS Records (DNSSEC)
OVHOVH supports DNSSEC with Algorithm 13 through their API. See the documentation.

The API call returns a a slightly different DS record. This is because OVH prefers to use SHA-1 over SHA-256. So after you enter in the DS record, OVH will recalculate the DS to use SHA-1. This will not cause any problems with your website.

OVH also supports adding the DS record via their DNS Manager.

Public Domain RegistryContact your registrar’s customer support and provide the DS record data you received from Cloudflare.

This registrar might have limited TLDs.

See Adding Delegation Signer (DS) Records.

register.comContact your registrar’s customer support and provide the DS record data you received from Cloudflare.
registro.brDNS e DNSSEC Tutoriais (in Portuguese)
TsohostContact your registrar’s customer support and provide the DS record data you received from Cloudflare.

What if my registrar or TLD doesn’t support DNSSEC?

To enable DNSSEC, both your registrar and registry (TLD) need to support DNSSEC with Cloudflare’s prefer cipher choice, Algorithm 13.

Although DNSSEC support is require by ICANN and Algorithm 13 . It has been standardize for years. Some registrars and registries do not support these protocols yet.

To try to get your registrar to support DNSSEC, you have three options:

1. Contact your registrar to ask for DNSSEC with modern encryption. Many registrars are waiting to add support until they see higher demand. So by reaching out, you are letting them know that there is a need for DNSSEC with Algorithm 13.

2. You can transfer your domain to a different registrar. Which is supports DNSSEC with Algorithm 13, as list in Step 2 above.

3. Finally, you can file a complaint with ICANN, citing your registrar’s lack of compliance. ICANN requires registrars to support DNSSEC with all available DS algorithm types.

If support is lacking at the TLD level, try option 1 above. You can find the contact information for your TLD registry in the Iana Root Zone Database.


Learn more about DNSSEC
  • Cloudflare DNSSEC
  • Troubleshooting DNSSEC
  • Blog – Announcing Universal DNSSEC: Secure DNS for Every Domain
  • Blog – Introduction to DNSSEC
  • About Algorithm 13 support – ECDSA: The missing piece of DNSSEC
  • List of TLDs with no DNSSEC support
Was this article helpful?
Dislike 0
Views: 49