Cloudflare Docs
Learning Paths
Edit this page on GitHub
Set theme to dark (⇧+D)


  2 min read

DNS Security Extensions (DNSSEC) adds an extra layer of authentication to DNS, ensuring requests are not routed to a spoofed domain.

For additional background on DNSSEC, visit the Cloudflare Learning Center.

When you enable DNSSEC, Cloudflare signs your zone, publishes your public signing keys, and generates your DS record.

​​ Step 1 - Activate DNSSEC in Cloudflare

  1. Log in to the Cloudflare dashboard and select your account and domain.
  2. Go to DNS > Settings.
  3. For DNSSEC, click Enable DNSSEC.
  4. In the dialog, you have access to several necessary values to help you create a DS record at your registrar. Once you close the dialog, you can access this information by clicking DS record on the DNSSEC card.

​​ Step 2 — Add DS record to your registrar

Add the DS record to your registrar. If Algorithm 13 - Cloudflare’s preferred cipher choice - is not listed by your registrar, it may also be called ECDSA Curve P-256 with SHA-256.

Provider-specific instructions

This is not an exhaustive list of how to update DS records in other providers, but the following links may be helpful: