DNSSEC - is there any reason NOT to enable it for all domains?

I was just poking around in my domain settings and spotted the DNSSEC setting. Is there any reason not to enable it for all domains?

Thanks in advance.

Personally, I would recommend enabling it for all domains.

Depending on your domain portfolio (e.g. the different TLD’s you spread your domains around on) though, you might be able to find a TLD or two once in a while, where it isn’t possible to enable all the way from the TLD and down to your own domain.

If it isn’t DNSSEC enabled all the way in the chain (e.g. from the root zone “.”, to “com”, to “example.com”), DNSSEC doesn’t provide the desired outcome.


Okay great, thank you @DarkDeviL!

Anyone else want to weigh in? I see that DD’s reply has gotten 2 likes, but can’t see who from.

If you incorrectly configure it or later forget to disable it when changing nameservers, you will break resolution of your domain.

As long as Cloudflare are offering non-inflated domain registration/renewal, I’m not going anywhere. :slight_smile:

1 Like

Yes that’s a good point so if you use Cloudflare Registrar and never stop using Cloudflare Registrar, then enabling DNSSEC is a one-click operation with no downside.