Should I enable DNSSEC?

I am a long-time Cloudflare user and just recently also transferred the domain to CF Registrar.
I just recently notices while testing the DNS of my site that DNSSEC is not enabled.

I get errors like:

  • Check DNSSEC configuration

  • The site does not have any DNSSEC records.

  • Check DS record configuration

  • The hostname has no DS records.

I see an option to enable DNSSEC in DNS section.
However, I am not sure about the DS records.

Moreover, testing the site to this tool, it says DNSSEC is working.

Like I said, I am a long time CF user and never enabled DNSSEC or made any changes.
Should I enable it? Should’t registering your domain to CF automatically enable this DNSSEC?

Are there any drawbacks of enabling this option?

Kindly, check with your domain registrar if DNSSEC is supported and if they do support Algorithm 13.

Otherwise, you won’t have anything beneficial from it.

Furthermore, some domain registrars don’t accept the values like Algorithm 13 (as stated at the article from the link below), therefore DNSSEC cannot be used with some TLDs neither with some domain registrars.

Regarding the errors you get, may I ask was the DNSSEC enabled and used since before moving to Cloudflare Registrar and/or changing domain nameservers? :thinking:

Could you share your domain name here with us so we could double-check, troubleshoot and provide some feedback information?

Better and rather not, as some users and cusomers have DNSSEC enabled, then they change domain nameservers and end up having an issue as DS record wasn’t removed before that step and similar. Using the :search: button we can find those kind of topics.

I have it enabled on my domains, at least on thoes who’s registrars do support it and Alg 13.

I needed to contact my previous registrar in order to be able to use Algorithm 13 (ECDSA/P-256). They added it without problems.

1 Like

Thanks for the quick reply.

Kindly, check with your domain registrar if DNSSEC is supported and if they do support Algorithm 13.

I had Godaddy as registrar a year ago and now my domain is on Cloudflare Registrar for over a year. Does CF registrar support al of this?

Regarding the errors you get, may I ask was the DNSSEC enabled and used since before moving to

Cloudflare Registrar and/or changing domain nameservers?
No, never enabled this option.

Could you share your domain name here with us so we could double-check, troubleshoot and provide some feedback information?

Sure. It’s androidsage.com

Yes, it does:

Yes it does.

Just to add a note, once you’re at Cloudflare Registrar, if you ever wish to change your domain nameservers to some other different than Cloudflare’s, unfortunately you cannot. You would have to transfer out first. Changing nameservers for a domain managed with Cloudflare Registrar isn’t supported. You can check section 6.1 in the Domain Registration Agreement below for more info:

Thanks for sharing. Yes, currently as it seems DNSSEC feature isn’t enabled for your domain at CF dashboard, however it can be enabled with a single click.

In case if something is stuck or not working, wait for 24hours then reply back so we could double-check again and in case if needed write a ticket to Cloudflare support and share your ticket number here with us so we could escalate this issue for you.

1 Like