How to Enable DNSSEC with Cloudflare

Date: 10/17/2019          2 Minutes to Read

In this article, we cover how to implement domain name system security extensions (DNSSEC) with the Cloudflare content delivery network (CDN):

DNSSEC provides an authentication layer by digitally signing a domain’s DNS records at the authoritative DNS server. With DNSSEC added to a domain, if the DNS cannot be authenticated because of an authorized DNS hop during network route, the requested website won’t display. This protects users against DNS spoofing and man-in-the-middle (MITM) attacks.

When you request DNSSEC with a DNS provider, such as Cloudflare, they sign your DNS zone and provide a resource records set (RRset) including the following:

  • DNSKEY – public key which signs the RRset
  • DS (delegation signer) record – hash of the DNSKEY

Below we’ll cover how to enable DNSSEC in Cloudflare and verify it.

To implement DNSSEC with Cloudflare, your registrar and top-level domain (TLD) must support it and Algorithm 13 (ECDSA Curve P-256 with SHA-256 hashing algorithm).

Want better server security? Check out our managed VPS Hosting today.

Enable DNSSEC

  1. Point your domain nameservers to Cloudflare.
  2. Log in to Cloudflare.com.
  3. Click DNS at the top.
  4. Click Enable DNSSEC.
  5. Send the DNSSEC records to your domain registrar to update DNS records.

    Customers with a domain registered with InMotion Hosting, contact our Live Support with the Key Tag, Algorithm Type, Digest Type, and Digest.

Warning: Inputting DNSSEC records incorrectly may cause website downtime.

Verify DNSSEC

After your DNSSEC records are added, Cloudflare should verify it within 10 minutes, but it may take up to 2 hours. You can review your the records by clicking DS Record on the lower-right of the DNSSEC panel.

  1. Refresh your Cloudflare DNS page to check if the status states pending:

    or Success!
  2. Once it states Success! with a green checkmark, check your domain DNS key at DNSViz.net.
  3. You should only see Secure on the left.

Continue to improve website security with HTTP Strict Transport Security (HSTS) in Cloudflare or within your .htaccess file.

Leave a Reply