Cloudflare Docs
Edit this page on GitHub
Set theme to dark (⇧+D)

DNSSEC for incoming zone transfers

DNS Security Extensions (DNSSEC) increase security by adding cryptographic signatures to DNS records. When you use multiple providers and Cloudflare is secondary, you have a few options to enable DNSSEC for records served by Cloudflare.

  • Multi-signer DNSSEC: Both Cloudflare and your primary DNS provider know the signing keys of each other and perform their own live-signing of DNS records, in accordance with RFC 8901.
  • Live signing: If your domain is not delegated to your primary provider’s nameservers and Cloudflare secondary nameservers are the only nameservers authoritatively responding to DNS queries (hidden primary setup), you can choose this option to allow Cloudflare to perform live-signing of your DNS records.
  • Pre-signed: Your primary DNS provider signs records and transfers out the signatures. Cloudflare then serves these records and signatures as is, without doing any signing. Cloudflare only supports NSEC records (and not NSEC3 records) and this setup does not support Secondary DNS Overrides nor Load Balancing.

​​ Set up multi-signer DNSSEC

Refer to Set up multi-signer DNSSEC and follow the instructions, considering the note about Cloudflare as Secondary.

​​ Set up live signing DNSSEC

If you use Cloudflare secondary nameservers as the only nameservers authoritatively responding to DNS queries (hidden primary setup), you can enable live signing DNSSEC to have Cloudflare sign the records for your zone.

In this setup, DNSSEC on your pirmary DNS provider does not need to be enabled.

  1. Use the Edit DNSSEC Status endpoint and set a status of active for your zone.

curl --request PATCH{zone_id}/dnssec \
--header 'X-Auth-Email: <EMAIL>' \
--header 'X-Auth-Key: <KEY>' \
--header 'Content-Type: application/json' \
--data '{
"status": "active"
  1. Use the DNSSEC Details endpoint to get the necessary values to create a DS record at your registrar.

  2. Add the DS record to your registrar. If Algorithm 13 - Cloudflare’s preferred cipher choice - is not listed by your registrar, it may also be called ECDSA Curve P-256 with SHA-256.

Provider-specific instructions

This is not an exhaustive list of how to update DS records in other providers, but the following links may be helpful:

​​ Set up pre-signed DNSSEC

​​ Prerequisites

  • Your secondary zone in Cloudflare already exists and zone transfers from your primary DNS provider are working correctly.
  • Your primary DNS provider supports DNSSEC using NSEC records (and not NSEC3).
  • Your primary DNS provider transfers out DNSSEC related records, such as RRSIG, DNSKEY, and NSEC.

​​ Steps

  1. Enable DNSSEC at your primary DNS provider.
  2. Enable DNSSEC for your zone at Cloudflare, using either the Dashboard or the API.

a. Select your zone and go to DNS > Settings.

b. Under DNSSEC with Secondary DNS select Pre-signed.

Use the Edit DNSSEC Status endpoint and set the dnssec_presigned value to true.

curl --request PATCH{zone_id}/dnssec \
--header 'X-Auth-Email: <EMAIL>' \
--header 'X-Auth-Key: <KEY>' \
--header 'Content-Type: application/json' \
--data '{
"dnssec_presigned": true
  1. Make sure Cloudflare nameservers are added at your registrar. You can see your Cloudflare nameservers on the dashboard by going to DNS > Records.

  2. Make sure there is a DS record added at your registrar. The DS record is obtained from your primary DNS provider (the signer of the zone) and is what indicates to DNS resolvers that your zone has DNSSEC enabled.