What is DNSSEC?

The Domain Name System Security Extensions, or DNSSEC for short, as the name suggests, is a security extension for DNS. It adds an extra layer of security to DNS by ensuring the authenticity of DNS data through digital signatures.

In other words, DNSSEC, as a security protocol for strengthening DNS protection, serves as the first line of defense against hackers, spoofing, and website hijacking. Its generation and implementation are highly recommended to protect not only your domain but also your visitors and potential clients. Building trust and creating cybersecurity is more than desirable in this uncertain cyber age.

Let's get to work. In the next two chapters, we will explain the generation of DNSSEC through two popular CDN services: AWS and Cloudflare. The implementation of the generated DNSSEC records is then a mere formality through popular domain name registrars such as GoDaddy, Network Solutions, Porkbun, IONOS, Hover, Hostinger, Namesilo, Name.com, Namecheap and Domain.com.

Implementing DNSSEC Records with AWS

The implementation of DNSSEC with Amazon Web Services (AWS) is done through their DNS service, Route 53. Along with managing domain names, it also allows for DNS settings configuration.

The following steps are required to enable DNSSEC via AWS:
  1. Log in to your AWS account at https://aws.amazon.com/console/.
  2. From the main menu, select Route 53.
  3. Click on Hosted Zones and select the hosted zone associated with the domain for which you want to enable DNSSEC.
  4. In the hosted zone, locate DNSSEC Signing and click on Enable DNSSEC Signing.
  5. Go to the AWS Key Management Service (KMS) and create a KMS key if you don't already have one.
  6. In Route 53, link the generated KMS key to DNSSEC and confirm the configuration by clicking Save.
  7. Once DNSSEC is signed in Route 53, download the DS Record from the DNSSEC Signing section.
  8. Go to your domain registrar and add the DS record to your domain settings.
  9. Wait a few hours and then verify if DNSSEC is enabled for your domain using our DNSSEC check tool.

Implementing DNSSEC Records with Cloudflare

The implementation of DNSSEC with the highly popular CDN service Cloudflare is managed via their domain management control panel.

To enable DNSSEC through Cloudflare, follow these steps:
  1. Log in at https://dash.cloudflare.com.
  2. Under Account Home - Websites, click on the domain where you want to implement DNSSEC.
  3. From the options on the left, click on DNS, then select Settings.
  4. Under the DNSSEC section, choose the option Enable DNSSEC.
  5. A new window will open where, after a few seconds, DS records will be automatically generated. The instructions will explain that you need to add these DS records with your domain registrar to enable DNSSEC.
  6. You likely won't need all the generated DS records, which may include:
    • DS Record
    • Digest
    • Digest Type (e.g. Type-2)
    • Algorithm
    • Public Key
    • Key Tag
    • Flags
    Instead, you'll only need specific ones depending on your domain registrar's requirements. It's advisable to first visit your registrar's control panel (without closing the Cloudflare window) to check what is required for DNSSEC activation.

    Then copy the relevant DS records from the Cloudflare window into your domain registrar's settings. Once this is done, return to Cloudflare dash panel and click Confirm.
  7. Wait for a while for the DNS settings to propagate. Then, verify the DNSSEC protection for your domain using our tool.

How to check the DNS Security Extension Record Type?

Testing and checking DNSSEC protection, including the DNSSEC record type, for any domain can be performed using our DNSSEC Tool, which provides a very detailed display of all zones:

    Understanding DNSSEC Zones and Record Types
  1. Root Zone
  2. Domain Extension (TLD)
  3. The Domain Itself, which is the most crucial

In addition to extensive Record Type details (DNSKEY, DS, RRSIG, NSEC, NSEC3), including visualizations and the Propagation Time for Each Zone (in seconds), you will also receive a clear conclusion on whether DNSSEC is enabled at the domain level or not.

To track IP addresses, IP Tracker Tracer provides comprehensive information, while our DNS record checker allows you to verify all other types of DNS records.