← Back to posts
Cloudflare

Implementing DNSSEC in Cloudflare: Parent Zones, Child Zones, and Getting the Order Right

By Travis · · 12 min read
#dnssec#dns#cloudflare#registrar#security#implementation

Start here: The fastest, safest way to implement DNSSEC is to use Cloudflare as both your domain registrar and your authoritative DNS provider. When both are on Cloudflare, enabling DNSSEC on a parent zone is a single click — Cloudflare automatically generates the DS record and submits it to the registry with no manual steps. For child zones, Cloudflare auto-populates the DS record values you need to add. This guide covers both the Cloudflare-native path (easiest) and the manual path (when your registrar is external).

Why DNSSEC Order Matters — A Lot

Before touching anything, understand this: DNSSEC configuration must be done in a specific order, and doing it wrong can make your domain unreachable for all resolvers that validate DNSSEC — which includes most modern resolvers.

The golden rule is:

Always enable DNSSEC on the child zone before adding the DS record to the parent.

Here’s why. The DS record in the parent zone tells resolvers “this child zone is DNSSEC-signed — validate everything.” Once that DS record exists, resolvers will attempt to validate every response from your child zone. If your child zone isn’t actually signed yet, validation fails, and the domain returns SERVFAIL.

The failure mode is silent and severe: your domain becomes unreachable for all DNSSEC-validating resolvers, with no obvious error message for end users.

Correct order:

  1. Sign the child zone (enable DNSSEC on the child)
  2. Verify the child zone is correctly signing records
  3. Add the DS record to the parent
  4. Verify the full chain validates

Removal order is the reverse:

  1. Remove the DS record from the parent
  2. Wait for the DS record’s TTL to expire (so it’s no longer cached)
  3. Disable DNSSEC on the child zone

Removing in the wrong order — disabling signing before removing the DS record — breaks the chain and causes SERVFAIL.

The Cloudflare + Cloudflare Registrar Advantage

When Cloudflare is both your registrar and DNS provider, here’s what you get automatically:

One-click DS record submission. When you enable DNSSEC on your zone in the Cloudflare DNS dashboard, Cloudflare generates the DS record and automatically submits it to your registry via the EPP protocol. You never touch the DS record manually.

CDS/CDNSKEY automation. Cloudflare publishes CDS and CDNSKEY records (RFC 8078) alongside your DNSKEY records. Registries that support RFC 8078 can automatically detect and apply the DS record without any manual action.

Automatic key management. Cloudflare handles ZSK rotation, RRSIG expiration, and key rollover. You never need to worry about a signing key expiring or rotating keys manually.

Algorithm 13 (ECDSA P-256 with SHA-256). Cloudflare uses Algorithm 13 by default — a modern, efficient algorithm with strong security properties. If you’re configuring at an external registrar that doesn’t list “Algorithm 13,” it may be listed as “ECDSA Curve P-256 with SHA-256.”

Scenario 1: Enabling DNSSEC on a Parent Zone (Cloudflare Registrar + Cloudflare DNS)

This is the easiest path. If your domain is registered through Cloudflare and uses Cloudflare nameservers:

Step 1 — Enable DNSSEC in DNS Settings

  1. Log in to the Cloudflare dashboard
  2. Select your zone (e.g., example.com)
  3. Go to DNS → Settings
  4. Find the DNSSEC section and click Enable DNSSEC

Step 2 — That’s It

Cloudflare automatically:

  • Generates the ZSK and KSK for your zone
  • Signs all existing DNS records with the ZSK
  • Publishes DNSKEY and RRSIG records
  • Generates the DS record
  • Submits the DS record to your registry

Within minutes (up to an hour for some registries), DNSSEC is active. You’ll see the DNSSEC status change to Active on the DNS Settings page.

Verifying the Setup

Use these tools to confirm DNSSEC is working:

# Check if DS record exists at the parent
dig DS example.com @8.8.8.8 +short

# Check DNSKEY records
dig DNSKEY example.com @8.8.8.8 +short

# Check RRSIG on an A record
dig A example.com @8.8.8.8 +dnssec

# Use Cloudflare's DNSSEC Debugger
# https://dnssec-debugger.verisignlabs.com/
# or
# https://dnsviz.net/

Scenario 2: Enabling DNSSEC on a Parent Zone (External Registrar)

If you’re using Cloudflare DNS but your domain is registered elsewhere (GoDaddy, Namecheap, Google Domains, etc.):

Step 1 — Enable DNSSEC in Cloudflare DNS Settings

  1. Cloudflare dashboard → select your zone → DNS → Settings
  2. Click Enable DNSSEC
  3. A dialog appears with the DS record values you need:
    • Key Tag — A numeric identifier for the DS record
    • Algorithm — 13 (ECDSA Curve P-256 with SHA-256)
    • Digest Type — 2 (SHA-256)
    • Digest — The actual hash value

Keep this dialog open or note the values. You can always return to them by clicking DS record on the DNSSEC card.

Step 2 — Add the DS Record at Your Registrar

Log in to your registrar’s control panel and find the DNSSEC section. This varies by registrar:

GoDaddy: Domain Settings → DNS Management → DNSSEC

Namecheap: Domain List → Manage → Advanced DNS → DNSSEC

AWS Route 53 (as registrar): Registered Domains → domain → DNSSEC → Manage keys

Enter the values from Cloudflare:

  • Key Tag: (from Cloudflare)
  • Algorithm: 13 — if not listed, look for “ECDSA Curve P-256 with SHA-256”
  • Digest Type: SHA-256
  • Digest: (from Cloudflare)

⚠️ If your registrar doesn’t support Algorithm 13, this is a strong signal that switching to Cloudflare Registrar is worth considering. Registrars still requiring older algorithms (like RSA/SHA-256 Algorithm 8) are behind the curve on modern DNSSEC support.

Step 3 — Wait for Propagation

DS records can take up to 24-48 hours to propagate depending on the TLD registry. Cloudflare’s dashboard will show DNSSEC as Pending until it detects the DS record in the parent zone.

Scenario 3: Enabling DNSSEC on a Child Zone (Subdomain Delegation)

This is where order becomes critical. A child zone (e.g., api.example.com delegated to its own Cloudflare zone) requires DNSSEC to be enabled on both the child zone and the parent zone, with the DS record added to the parent after the child is signed.

Prerequisites

  • DNSSEC must already be enabled on the parent zone (example.com)
  • The child subdomain must be properly delegated with NS records in the parent zone
  • The child zone (api.example.com) must be set up as a separate zone in Cloudflare

Step 1 — Verify Parent Zone DNSSEC is Active

Before touching the child, confirm the parent is fully signed:

dig DS example.com @8.8.8.8 +short
# Should return a DS record with key tag, algorithm, and digest

dig DNSKEY example.com @8.8.8.8 +short
# Should return one or more DNSKEY records

If the parent isn’t signed, sign the parent first and wait for it to fully propagate before proceeding.

Step 2 — Verify Subdomain Delegation Exists in Parent

The parent zone must have NS records delegating the child subdomain. In the parent zone (example.com) DNS records:

api.example.com    NS    ns1.childzone.cloudflare.com
api.example.com    NS    ns2.childzone.cloudflare.com

These NS records tell resolvers “go ask the child zone’s nameservers about api.example.com.”

Step 3 — Enable DNSSEC on the Child Zone

  1. Cloudflare dashboard → switch to the child zone (api.example.com)
  2. Go to DNS → Settings
  3. Click Enable DNSSEC
  4. Cloudflare shows you the DS record values for the child zone — copy these values

This step signs the child zone. Do NOT add the DS record to the parent yet.

Step 4 — Verify the Child Zone is Signing Correctly

Before touching the parent, verify the child zone is actually signing records:

# Check DNSKEY records in child zone
dig DNSKEY api.example.com @8.8.8.8 +short

# Check that an A record in the child zone has an RRSIG
dig A api.example.com @8.8.8.8 +dnssec

# The response should include both the A record and an RRSIG record

Or use the interactive checker below — enter the zone you want to verify and it will check DS records, DNSKEY records, and full chain validation against Cloudflare’s 1.1.1.1 resolver in real time:

// DNSSEC Zone Checker

If you see DNSKEY and RRSIG records (or the checker shows “Zone Signed”), the child zone is correctly signing. Proceed to the next step.

Step 5 — Add the DS Record to the Parent Zone

Now you add the child zone’s DS record to the parent zone (example.com):

  1. Switch to the parent zone (example.com) in the Cloudflare dashboard
  2. Go to DNS → Records
  3. Click Add record
  4. Record type: DS
  5. Name: api (just the subdomain, not the full name — Cloudflare appends the parent domain)
  6. Fill in the values from the child zone’s DS record output:
    • Key Tag
    • Algorithm: 13
    • Digest Type: 2
    • Digest: (hash value)
  7. Click Save

This is the moment the chain of trust is established. Resolvers will now validate the child zone using the DS record you just added.

Step 6 — Verify the Full Chain

# Check DS record for child zone appears in parent
dig DS api.example.com @8.8.8.8 +short

# Use DNSViz for a visual full-chain validation
# https://dnsviz.net/ — enter api.example.com

# Use the Verisign DNSSEC Debugger
# https://dnssec-debugger.verisignlabs.com/

A successful chain looks like:

Root (.) → .com DS → example.com DS → api.example.com DNSKEY → api.example.com records

Common Mistakes and How to Avoid Them

❌ Adding the DS Record Before Signing the Child

What happens: Resolvers immediately try to validate the child zone, find no RRSIG records, and return SERVFAIL. The domain becomes unreachable.

Fix: Remove the DS record from the parent immediately. Wait for TTL to expire. Sign the child zone. Then add the DS record again.

❌ Disabling Child Signing Before Removing the DS Record

What happens: The DS record in the parent still tells resolvers to validate, but there’s nothing to validate against. SERVFAIL.

Fix: Remove the DS record from the parent first. Wait for the DS record’s TTL to expire from all resolver caches. Then disable signing on the child zone.

❌ Forgetting to Check RRSIG Expiration

DNSSEC signatures have an expiration date. If your DNS provider doesn’t automatically re-sign, RRSIGs will expire and validation will fail — silently, with no warning, until users start getting SERVFAIL.

Fix: Use Cloudflare DNS. Cloudflare automatically re-signs before expiration. If using another provider, monitor your RRSIG expiration dates.

❌ Using an Unsupported Algorithm at Your Registrar

Some older registrars don’t support Algorithm 13 (ECDSA P-256). Entering Algorithm 13’s values into a registrar that expects RSA keys will silently fail or create an invalid DS record.

Fix: Use Cloudflare Registrar. Or verify algorithm support before choosing a registrar for DNSSEC-enabled domains.

❌ Not Waiting for DS TTL to Expire During Removal

When removing DNSSEC, the DS record has a TTL — typically 3600 seconds (1 hour) or more. If you disable signing before the cached DS record expires from resolver caches, those resolvers will still try to validate and fail.

Fix: Always wait at least the DS record’s TTL after removing it from the parent before disabling signing on the child.

Verifying DNSSEC End-to-End

These tools give you a complete picture of your DNSSEC state:

DNSViz (dnsviz.net) — Visualizes the full DNSSEC chain graphically. Shows every link from root to your domain with color-coded pass/fail indicators. Invaluable for debugging.

Verisign DNSSEC Debugger (dnssec-debugger.verisignlabs.com) — Checks each component of the chain and reports specific errors.

TravTeks DNSSEC Chain Checker — Enter your parent domain to discover all delegated child zones via Certificate Transparency logs and verify the full chain for each: travteks.com/tools/dnssec-chain-checker

Command line:

# Full DNSSEC chain verification using dig
# Check DS record in parent
dig DS example.com +short

# Check DNSKEY in zone
dig DNSKEY example.com +short

# Check signed record with authentication data flag
dig A example.com +dnssec +adflag

# The 'ad' flag in the response means "Authenticated Data" — 
# the resolver validated the DNSSEC chain

The ad (Authenticated Data) flag in a DNS response is the definitive signal that DNSSEC validation succeeded end-to-end.

The Cloudflare Registrar Recommendation — Why It Matters

The single biggest barrier to DNSSEC adoption is the operational friction of coordinating DS records between your DNS provider and your registrar. When they’re different companies:

  • You must manually copy DS record values between dashboards
  • You must get the order right
  • You must wait for the registrar to update the registry
  • You must manage key rollovers across two systems
  • If your registrar’s DNSSEC support is poor, you’re stuck

Cloudflare Registrar eliminates all of this. Enable DNSSEC in your DNS settings, and Cloudflare automatically:

  1. Signs your zone
  2. Generates the DS record
  3. Submits it to the registry via EPP
  4. Publishes CDS/CDNSKEY records for RFC 8078-compliant registries
  5. Manages key rollovers without any intervention

For child zones on Cloudflare with a Cloudflare parent, you’re still adding the DS record manually within Cloudflare (parent → child), but that’s a copy-paste within the same dashboard — a minute of work rather than a cross-provider coordination exercise.

If you’re managing domains for an organization serious about DNS security, consolidating on Cloudflare for both registration and DNS is the highest-leverage single change you can make.

// Found this useful? Share it or start a conversation.
Y Hacker News 𝕏 X in LinkedIn 🦋 Bluesky r/ Reddit
// Related More on similar topics.
Cloudflare May 14, 2025

DNSSEC Explained: Why It Was Invented and How It Protects Your DNS

A clear, high-level breakdown of DNSSEC — the problem it solves, how cryptographic signing creates a chain of trust from the root zone down to your domain, and why every DNS owner should understand it.
Cloudflare May 12, 2026

Cloudflare WAF Walkthrough: Monitor First, Block Later, Skip OWASP

A practical, opinionated walkthrough for rolling out Cloudflare's Web Application Firewall on a real domain — start in monitor mode, layer in protections, set up alerting on spikes, and why OWASP Core Ruleset is usually a mistake.
Cloudflare May 10, 2026

1.1.1.1 and Cloudflare DNS Are Two Different Products: Recursive vs Authoritative, Explained

Cloudflare runs both a recursive resolver (1.1.1.1) and an authoritative DNS service, and they do completely different jobs. This is the clearest way to explain the difference between the two halves of every DNS lookup.