Validation and keys
Refer to the sections below for an overview of some technical concepts and how they apply to Cloudflare DNSSEC. For broader content on DNSSEC, refer to How DNSSEC works ↗.
DNSSEC validation follows a chain of trust from the root DNS servers to your zone:
- A resolver queries your parent registry (for example,
.com) for your DS record. - The DS record contains a hash of your Key Signing Key (KSK).
- The resolver expects all Zone Signing Keys (ZSK) to be signed by that specific KSK.
- If Cloudflare uses a different KSK, validation fails when resolvers query Cloudflare nameservers.
This is why you cannot simply keep your existing DS record when migrating to Cloudflare. The cryptographic chain of trust requires either:
- Disabling DNSSEC before migration and re-enabling it on Cloudflare
- Using the multi-signer DNSSEC approach to coordinate keys between providers.
When you enable DNSSEC, Cloudflare automatically publishes CDS (Child Delegation Signer) and CDNSKEY (Child DNSKEY) records in your zone. These records automate the chain of trust management between your domain and the Top-Level Domain registry.
| Record | Purpose | Contents |
|---|---|---|
| CDS | High-level instruction | A hashed version of the public key (same data as a DS record) |
| CDNSKEY | Public key instruction | The full public Key Signing Key (KSK) for the parent to generate its own DS record |
Registrars that support RFC 8078 ↗ periodically scan your domain for these records and automatically update the DS record at the registry level. This eliminates manual DS record management and ensures seamless key rollovers.
- ZSKs (Zone Signing Keys): flag
256 - KSKs (Key Signing Keys): flag
257
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2026 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-
