DNSSEC Setup Guide
Enable DNS Security Extensions to protect your domain from DNS spoofing and cache poisoning attacks.
What is DNSSEC?
DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records. This allows resolvers to verify that DNS responses haven't been tampered with.
Without DNSSEC, attackers can: • Redirect your visitors to malicious sites (DNS spoofing) • Intercept email by changing MX records • Steal credentials via fake login pages
How DNSSEC Works
DNSSEC creates a chain of trust from the root DNS servers to your domain:
1. **Root Zone** signs the TLD (e.g., .com) 2. **TLD (.com)** signs your domain's DS record 3. **Your Domain** signs all your DNS records
Each level cryptographically verifies the next, preventing tampering.
DNSSEC Record Types
DNSSEC introduces new record types:
• **DNSKEY** - Public key for your domain • **RRSIG** - Signature for each record set • **DS** - Hash of your DNSKEY (stored at parent zone) • **NSEC/NSEC3** - Proves a record doesn't exist
Enabling DNSSEC
DNSSEC setup varies by registrar/DNS provider. Generally:
**If your DNS provider manages DNSSEC automatically (recommended):** 1. Enable DNSSEC in your DNS provider's dashboard 2. Copy the DS record details 3. Add the DS record at your registrar 4. Wait for propagation
Providers like Cloudflare, Google Cloud DNS, and Route 53 handle key management automatically.
Cloudflare DNSSEC Setup
1. Log into Cloudflare Dashboard 2. Select your domain 3. Go to DNS → Settings 4. Click "Enable DNSSEC" 5. Cloudflare provides DS record details 6. Add these DS records at your registrar
# Example DS record values:
# Key Tag: 2371
# Algorithm: 13
# Digest Type: 2
# Digest: E06D44B80B8F1D39A95C...Verification
After enabling DNSSEC, verify it works:
1. Use IntoDNS.ai to check DNSSEC status 2. Use dig: dig +dnssec yourdomain.com 3. Check DNSViz.net for visual chain of trust 4. Verify DS records match at parent zone
DNSSEC misconfigurations can make your entire domain unreachable. Test thoroughly before enabling.