Enable DNSSEC
DNS Security Extensions (DNSSEC) adds an extra layer of authentication to DNS, ensuring requests are not routed to a spoofed domain.
For additional background on DNSSEC, visit the Cloudflare Learning Center ↗.
When you enable DNSSEC, Cloudflare signs your zone, publishes your public signing keys, and generates your DS record.
Step 1 - Activate DNSSEC in Cloudflare
Section titled “Step 1 - Activate DNSSEC in Cloudflare”- Log in to the Cloudflare dashboard ↗ and select your account and domain.
- Go to DNS > Settings.
- For DNSSEC, click Enable DNSSEC.
- In the dialog, you have access to several necessary values to help you create a DS record at your registrar. Once you close the dialog, you can access this information by clicking DS record on the DNSSEC card.
Step 2 — Add DS record to your registrar
Section titled “Step 2 — Add DS record to your registrar”Add the DS record to your registrar. If Algorithm 13 - Cloudflare's preferred cipher choice - is not listed by your registrar, it may also be called ECDSA Curve P-256 with SHA-256.
Provider-specific instructions
This is not an exhaustive list of how to update DS records in other providers, but the following links may be helpful:
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark