How to Enable DNSSEC on Your Domain

DNSSEC signs your DNS records so resolvers can prove the answers they receive are authentic and unmodified — closing the door on cache poisoning and DNS spoofing. This guide covers signing, the DS record, and verification.


Plain DNS has no way to prove that an answer is genuine, which is what makes cache-poisoning and DNS spoofing attacks possible. DNSSEC (DNS Security Extensions) fixes this by cryptographically signing your zone. Validating resolvers follow a chain of trust from the root down to your domain and reject any answer that has been tampered with.

How the Chain of Trust WorksYour zone is signed with a key (DNSKEY). A hash of that key — the DS record — is published in the parent zone (your TLD, via your registrar). The parent's DS record is itself signed, and so on up to the root. A resolver that trusts the root can therefore verify your domain end-to-end.

Step 1 — Check Whether Your Providers Support DNSSEC

DNSSEC involves two parties: your DNS host (which signs the zone) and your registrar (which publishes the DS record at the TLD). Both must support it. Most managed DNS providers — Cloudflare, Route 53, Google Cloud DNS, DNSimple — offer one-click DNSSEC, which is by far the easiest path.

Step 2 — Enable Signing at Your DNS Host

With one-click DNSSEC, the provider generates the keys and signs the zone for you, then shows you a DS record (or the DNSKEY details) to hand to your registrar. For example, in Cloudflare it's DNS → Settings → Enable DNSSEC, which prints something like:

text
DS Record: Key Tag: 2371 Algorithm: 13 (ECDSA Curve P-256 with SHA-256) Digest Type: 2 (SHA-256) Digest: 2BB183AF5F22588179A53B0A98631FAD1A292118
Prefer Modern AlgorithmsIf you get to choose, pick algorithm 13 (ECDSA P-256) or 15 (Ed25519) over older RSA algorithms. They produce much smaller signatures and DNSKEY records, keeping responses fast and avoiding fragmentation.

Step 3 — Publish the DS Record at Your Registrar

Log in to the registrar where the domain is registered and find the DNSSEC section (often under domain settings). Enter the DS record values exactly as your DNS host provided them:

FieldExample
Key Tag2371
Algorithm13 (ECDSA P-256 SHA-256)
Digest Type2 (SHA-256)
Digest2BB183AF…292118
Order of Operations MattersAlways enable signing at the DNS host first, then publish the DS record at the registrar. Publishing a DS record that doesn't match a signed zone breaks resolution for everyone — the domain will fail validation and go dark for validating resolvers.

Manual Signing (self-hosted BIND)

If you run your own authoritative BIND server, enable inline signing:

text
zone "example.com" { type master; file "/etc/bind/db.example.com"; key-directory "/etc/bind/keys"; auto-dnssec maintain; inline-signing yes; };
bash
# Generate a Key Signing Key (KSK) and Zone Signing Key (ZSK) dnssec-keygen -a ECDSAP256SHA256 -f KSK -n ZONE example.com dnssec-keygen -a ECDSAP256SHA256 -n ZONE example.com sudo rndc reload example.com # Emit the DS record to give to your registrar dnssec-dsfromkey /etc/bind/keys/Kexample.com.+013+02371.key

Step 4 — Verify the Chain of Trust

Confirm the zone is signed and the DS record is published in the parent:

bash
# DNSKEY should be present and the answer AD (Authenticated Data) flag set dig DNSKEY example.com +dnssec +short # DS record at the parent (TLD) dig DS example.com +short # A full validation trace from the root dig example.com +dnssec +trace

The easiest check is the ShowDNS DNSSEC Validator, and a full Domain Health Report will flag DNSSEC status alongside the rest of your DNS configuration. Allow up to a day for the parent DS record to propagate.

DNSSEC Unlocks DANEOnce your zone is signed you can publish TLSA records for DANE, which pins your mail or web TLS certificate in DNS. This pairs well with MTA-STS for defense-in-depth on mail TLS.

Related Articles