How to Enable DNSSEC with Cloudflare

See our related guide to enable DNSSEC on cPanel servers.

In this article, we cover how to implement domain name system security extensions (DNSSEC) with the Cloudflare content delivery network (CDN):

DNSSEC provides an authentication layer by digitally signing a domain’s DNS records at the authoritative DNS server. With DNSSEC added to a domain, if the DNS cannot be authenticated because of an authorized DNS hop during network route, the requested website won’t display. This protects users against DNS spoofing and man-in-the-middle (MITM) attacks.

When you request DNSSEC with a DNS provider, such as Cloudflare, they sign your DNS zone and provide a resource records set (RRset) including the following:

  • DNSKEY – public key which signs the RRset
  • DS (delegation signer) record – hash of the DNSKEY

Below we’ll cover how to enable DNSSEC in Cloudflare and verify it.

To implement DNSSEC with Cloudflare, your registrar and top-level domain (TLD) must support it and Algorithm 13 (ECDSA Curve P-256 with SHA-256 hashing algorithm).

Want better server security? Check out our managed VPS Hosting today.


cloudflare dnssec records
  1. Point your domain nameservers to Cloudflare.
  2. Log in to
  3. Click DNS at the top.
  4. Click Enable DNSSEC.
    cloudflare dnssec enable
  5. Send the DNSSEC records to your domain registrar to update DNS records.

    Customers with a domain registered with InMotion Hosting, contact our Live Support with the Key Tag, Algorithm Type, Digest Type, and Digest.

Warning: Inputting DNSSEC records incorrectly may cause website downtime.


After your DNSSEC records are added, Cloudflare should verify it within 10 minutes, but it may take up to 2 hours. You can review your the records by clicking DS Record on the lower-right of the DNSSEC panel.

dnsviz secure status
  1. Refresh your Cloudflare DNS page to check if the status states pending:
    cloudflare dnssec waiting

    or Success!
    cloudflare dnssec enabled
  2. Once it states Success! with a green checkmark, check your domain DNS key at
  3. You should only see Secure on the left.

Continue to improve website security with HTTP Strict Transport Security (HSTS) in Cloudflare or within your .htaccess file.

Jacqueem Content Writer I

Technical writer focused on cybersecurity and musicianship.

More Articles by Jacqueem

Was this article helpful? Let us know!