How to Enable DNSSEC for Your Domain

DNSSEC cryptographically signs DNS responses for your domain, preventing attackers from tampering with DNS lookups and redirecting your traffic. Here's how to enable it.

What this finding means

Without DNSSEC, an attacker who can intercept or manipulate DNS responses could redirect visitors from your domain to a malicious site without anyone noticing — a technique called DNS cache poisoning. DNSSEC adds a chain of cryptographic signatures to DNS records so that resolvers can verify the responses haven't been tampered with.

Why it matters

DNS cache poisoning attacks are real and have been used in high-profile attacks
DNSSEC is increasingly expected for any domain handling sensitive data
It's a prerequisite for DANE (DNS-based Authentication of Named Entities), which provides an additional layer of TLS certificate verification
It's a scored finding on most domain security tools

How to enable DNSSEC — step by step

DNSSEC is enabled at the registrar level, not at the DNS record level. The process varies by registrar but follows the same pattern.

Step 1: Enable DNSSEC signing at your DNS provider

If your DNS is managed by your registrar (e.g. GoDaddy, Namecheap, Cloudflare), there is usually a one-click DNSSEC toggle in the DNS management or domain settings section.

Cloudflare: DNS → Settings → DNSSEC → Enable. Cloudflare handles everything automatically including the DS record.
GoDaddy: My Products → DNS → scroll to DNSSEC → Enable
Namecheap: Domain List → Manage → Advanced DNS → DNSSEC

Step 2: Publish the DS record in the parent zone

Once DNSSEC is enabled, your DNS provider generates a DS (Delegation Signer) record. This must be published in the parent zone (the TLD registry — e.g. .com, .co.uk). Your registrar typically handles this automatically when you enable DNSSEC. If it doesn't, you'll need to submit the DS record to your registrar manually.

Step 3: Verify the chain of trust

Once the DS record is published, verify that the full DNSSEC chain is intact. You can check this with the Verisign DNSSEC debugger or scan your domain at mydomainrisk.com — the DNSSEC finding will show as resolved.

Important: don't enable DNSSEC if you're changing DNS providers. Enabling DNSSEC during a DNS provider migration can cause resolution failures. Always complete the migration first, then enable DNSSEC at the new provider.

Verify it worked

Scan your domain at mydomainrisk.com — the DNSSEC finding will show as resolved once the chain of trust is confirmed.

Check your DNSSEC status

MyDomainRisk checks DNSSEC alongside SPF, DMARC, DKIM, CAA, MTA-STS and more — free.

Scan your domain free →