Cloudflare Docs
Learning Paths
Edit this page on GitHub
Set theme to dark (⇧+D)


  3 min read

DNS Security Extensions (DNSSEC) adds an extra layer of authentication to DNS, ensuring requests are not routed to a spoofed domain.

For additional background on DNSSEC, visit the Cloudflare Learning Center.

​​ Setup

Your DNSSEC setup can be different depending on where you registered your domain name:

​​ Cloudflare Registrar

Cloudflare Registrar offers one-click DNSSEC activation for free to all customers:

  1. Log in to the Cloudflare dashboard, and select your account.
  2. Select Domain Registration > Manage Domains.
  3. Find the domain you where you want to activate DNSSEC and select Manage.
  4. Select Configuration > Enable DNSSEC. If DNSSEC was previously activated, select Disable DNSSEC to disable it.

Cloudflare publishes delegation signer (DS) records in the form of CDS and CDNSKEY records for a domain delegated to Cloudflare. Cloudflare Registrar scans those records at regular intervals, and gathers those details and sends them to your domain’s registry.

This process can take one to two days after you first enable DNSSEC.

​​ Other registrars

First, activate DNSSEC in the Cloudflare dashboard:

  1. Log in to the Cloudflare dashboard and select your account and domain.
  2. Go to DNS > Settings.
  3. For DNSSEC, click Enable DNSSEC.
  4. In the dialog, you have access to several necessary values to help you create a DS record at your registrar. Once you close the dialog, you can access this information by clicking DS record on the DNSSEC card.

Add the DS record to your registrar. If Algorithm 13 - Cloudflare’s preferred cipher choice - is not listed by your registrar, it may also be called ECDSA Curve P-256 with SHA-256.

Provider-specific instructions

This is not an exhaustive list of how to update DS records in other providers, but the following links may be helpful:

​​ Verify DNSSEC

When DNSSEC has been successfully applied to your domain, Cloudflare shows you a confirmed status. Go to DNS > Settings in the Cloudflare dashboard, and scroll down to DNSSEC.

You can also confirm this by reviewing the WHOIS information for your domain. Domains with DNSSEC will read signedDelegation in the DNSSEC field.