In this article, we cover how to implement domain name system security extensions (DNSSEC) with the Cloudflare content delivery network (CDN):
DNSSEC provides an authentication layer by digitally signing a domain’s DNS records at the authoritative DNS server. With DNSSEC added to a domain, if the DNS cannot be authenticated because of an authorized DNS hop during network route, the requested website won’t display. This protects users against DNS spoofing and man-in-the-middle (MITM) attacks.
When you request DNSSEC with a DNS provider, such as Cloudflare, they sign your DNS zone and provide a resource records set (RRset) including the following:
- DNSKEY – public key which signs the RRset
- DS (delegation signer) record – hash of the DNSKEY
Below we’ll cover how to enable DNSSEC in Cloudflare and verify it.
Want better server security? Check out our managed VPS Hosting today.
- Point your domain nameservers to Cloudflare.
- Log in to Cloudflare.com.
- Click DNS at the top.
- Click Enable DNSSEC.
- Send the DNSSEC records to your domain registrar to update DNS records.
Warning: Inputting DNSSEC records incorrectly may cause website downtime.
After your DNSSEC records are added, Cloudflare should verify it within 10 minutes, but it may take up to 2 hours. You can review your the records by clicking DS Record on the lower-right of the DNSSEC panel.
- Refresh your Cloudflare DNS page to check if the status states pending:
- Once it states Success! with a green checkmark, check your domain DNS key at DNSViz.net.
- You should only see Secure on the left.