Skip to content
Cloudflare Docs

Enable DNSSEC

As opposed to the normal process for enabling DNSSEC, DNSSEC with a subdomain setup requires a few additional steps.

Requirements

To use DNSSEC for a subdomain setup, DNSSEC must be enabled on the parent zone.

Ideally, you should also wait 12 to 24 hours after enabling DNSSEC on the parent zone to ensure DNS resolvers provide the same DNS query responses.

Setup

  1. Create the child zone.

  2. Make sure the child zone is active on Cloudflare and that DNS resolution is working properly for your subdomain.

  3. Enable DNSSEC for the child zone and save the information provided within the DS record output.

  4. In the DNS > Records settings of the parent zone, add the DS record from the previous step.

    Screenshot showing how to add a DS record within Cloudflare

  5. Add an A record to the child zone to validate DNS resolution.

  6. Wait two to six hours. Then, test the A record added in the previous step using multiple DNS resolvers with DNSSEC validation (1.1.1.1, 8.8.8.8, and 9.9.9.9). For example, if the A record is for test.child.example.com: dig test.child.example.com +dnssec @1.1.1.1.

Cloudflare DashboardDiscordCommunityLearning CenterSupport Portal
Cookie Settings