Docs / Networking / How to Set Up DNSSEC for Your Domain

How to Set Up DNSSEC for Your Domain

By Admin · Mar 15, 2026 · Updated Apr 23, 2026 · 209 views · 2 min read

DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records, preventing DNS spoofing and cache poisoning attacks. When enabled, clients can verify that DNS responses are authentic and have not been tampered with.

How DNSSEC Works

# 1. Zone owner signs DNS records with a private key
# 2. Public key (DNSKEY) is published in DNS
# 3. Parent zone (e.g., .com) has a DS record pointing to your DNSKEY
# 4. Resolvers verify the chain of trust from root to your domain

# Record types:
# RRSIG  — Signature over a set of DNS records
# DNSKEY — Public key for the zone
# DS     — Delegation Signer (hash of DNSKEY, published in parent zone)
# NSEC/NSEC3 — Proves a record does not exist

Enabling DNSSEC with Cloudflare

# Cloudflare makes DNSSEC easy:
# 1. Go to DNS > Settings in Cloudflare dashboard
# 2. Click "Enable DNSSEC"
# 3. Cloudflare provides a DS record
# 4. Add the DS record at your domain registrar
# 5. Wait for propagation (up to 24 hours)

Verifying DNSSEC

# Check if a domain has DNSSEC enabled
dig +dnssec example.com

# Look for the "ad" flag (Authenticated Data)
dig +dnssec +short example.com
# The "ad" flag in the response indicates DNSSEC validation passed

# Check DS records
dig DS example.com

# Check DNSKEY records
dig DNSKEY example.com

# Use delv for detailed DNSSEC validation
delv example.com
# Should show "fully validated"

# Online tools:
# https://dnssec-debugger.verisignlabs.com/
# https://dnsviz.net/

Enabling DNSSEC on BIND

# Generate zone signing keys
cd /etc/bind/keys
dnssec-keygen -a ECDSAP256SHA256 example.com
dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com

# Sign the zone
dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) \
  -N INCREMENT -o example.com -t db.example.com

# Configure BIND to use the signed zone
# In named.conf:
zone "example.com" {
    type master;
    file "db.example.com.signed";
    auto-dnssec maintain;
    inline-signing yes;
};

DNSSEC Gotchas

  • Key rotation — DNSSEC keys should be rotated regularly (KSK annually, ZSK monthly)
  • DS record management — When rotating KSK, update DS at registrar before removing old key
  • Clock synchronization — DNSSEC signatures have validity periods; NTP must be working
  • Zone transfers — Signed zones are larger; ensure zone transfers still work

Was this article helpful?

Related Articles