Cloudflare Docs
Edit this page
Give us feedback
Set theme to dark (⇧+D)

Domain Name System Security Extensions (DNSSEC)

The domain name system (DNS) translates domain names into numeric Internet addresses. However, DNS is a fundamentally insecure protocol. It does not guarantee where DNS records come from and accepts any requests given to it.

DNSSEC creates a secure layer to the domain name system by adding cryptographic signatures to DNS records. By doing so, your request can check the signature to verify that the record you need comes from the authoritative nameserver and was not altered along the way.

​​ Enable or disable DNSSEC

Cloudflare Registrar offers one-click DNSSEC activation for free to all customers:

  1. Log in to the Cloudflare dashboard, and select your account.
  2. Select Domain Registration > Manage Domains.
  3. Find the domain you where you want to activate DNSSEC and select Manage.
  4. Select Configuration > Enable DNSSEC. If DNSSEC was previously activated, select Disable DNSSEC to disable it.

Cloudflare publishes delegation signer (DS) records in the form of CDS and CDNSKEY records for a domain delegated to Cloudflare. Cloudflare Registrar scans those records at regular intervals, and gathers those details and sends them to your domain’s registry.

This process can take one to two days after you first enable DNSSEC.

​​ Confirming DNSSEC

When DNSSEC has been successfully applied to your domain, Cloudflare shows you a confirmed status. Go to DNS > Settings in the Cloudflare dashboard, and scroll down to DNSSEC.

You can also confirm this by reviewing the WHOIS information for your domain. Domains with DNSSEC will read signedDelegation in the DNSSEC field.