How to Enable DNSSEC on Cloudflare

Implementation Guide • Updated December 2024

Cloudflare provides one-click DNSSEC activation with automatic key management. This guide covers the complete process from enabling DNSSEC to submitting DS records at your registrar.

Prerequisites: Your domain must use Cloudflare's nameservers. DNSSEC is available on all Cloudflare plans, including Free.

Step 1: Enable DNSSEC in Cloudflare Dashboard

Access DNS Settings

Log in to your Cloudflare dashboard and select the domain you want to secure. Navigate to DNS → Settings.

Enable DNSSEC

Find the DNSSEC section and click "Enable DNSSEC". Cloudflare will generate the necessary keys and sign your zone automatically.

Copy DS Record Details

Cloudflare displays the DS record information you need to add at your registrar. Copy all four fields: Key Tag, Algorithm, Digest Type, and Digest.

Step 2: Add DS Record at Your Registrar

The DS record must be added where your domain is registered, not where DNS is hosted. Common registrar instructions:

If Domain is Registered at Cloudflare

Cloudflare Registrar automatically adds the DS record—no manual action required. DNSSEC will be fully active within minutes.

Other Registrars

Log in to your registrar's control panel and locate the DNSSEC settings. Enter the values Cloudflare provided:

  • Key Tag: A 5-digit number identifying the key
  • Algorithm: Usually 13 (ECDSAP256SHA256)
  • Digest Type: Usually 2 (SHA-256)
  • Digest: A hexadecimal string
Important: Enter values exactly as shown. Typos will cause DNSSEC validation failures.

Step 3: Verify DNSSEC is Working

After adding the DS record, propagation takes 10-60 minutes. Verify with:

dig +dnssec yourdomain.com

Look for the "ad" (authenticated data) flag in the response. You can also use online tools:

Cloudflare DNSSEC Features

  • Automatic Key Rotation: Cloudflare handles ZSK rollovers automatically
  • NSEC3: Used for authenticated denial, preventing zone enumeration
  • ECDSA P-256: Modern algorithm with small, efficient signatures
  • One-Click Disable: Can quickly disable if issues arise (remove DS at registrar first)

Troubleshooting

Status Shows "Pending"

DS record hasn't been detected at the registry yet. Wait up to 24 hours for propagation, then verify the DS was added correctly at your registrar.

DNSSEC Validation Failing

Common causes:

  • DS record values were entered incorrectly
  • DS record added to wrong domain
  • Registrar requires specific format

See our DNSSEC Validation Failed troubleshooting guide.

Related Guides