DNSSEC activation risks on existing records

Hello Community,

We had an annual penetration test. Our security team recommended that DNSSEC should be implemented on our domain hosted by Cloudflare.

I would like to ask what are your recommendations to us to activate DNSSEC (what we need to check)?
If we decide to activate this option on each domains we need to know if there is a way to rollback quickly the changes?

I’ll be available for any further details?

Thank you.

Ahmed Ouertani.


Thank you for asking.

I have DNSSEC configured and enabled on most of my domains using Cloudflare service.

Except on those domains which domain registrars doesn’t support DNSSEC, or at least they do support DNSSEC and adding the DS record but they doesn’t support and are not compatible with the newest and required “Algorithm 13” (mostly they support older ones, the outdated and not anymore in use and not recommended to use, etc.).

I’d suggest you to contact your domain registrar(s) to double-check if DNSSEC is supported and if DS record can be added by you (manually - individually or they have to do it for you).
Nevertheless, if you can add DS record, ask them if the Algorithm 13 is supported or not.

Only thing to keep in mind, before you change your domain nameserver you have to disable DNSSEC at Cloudflare dashboard and remove DS record at domain registrar, otherwise your website might be out of work for 48-72 hours.

Would be, just disable DNSSEC at Cloudflare dashboard for each domain and remove the DS record at your domain registrar for each of your domains, also wait for 24hours to apply the changes.

I am afraid, there is no “a quick rollback”.

Furthermore, majority of people would not see any difference at first sight upon enabling DNSSEC and adding the DS record.

I’d like to share two online tools to check if the DNSSEC is configured and working well:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.