DNSSEC for Registrars

dnssec logo

At Cloudflare, we’re excited about making the Internet safer through the mass deployment of our recently deployed DNSSEC implementation. Cloudflare Universal DNSSEC provides authentication to an otherwise insecure DNS, preventing man-in-the-middle attacks and giving visitors assurance that their connection is safely routed to the right server.

Because trust in DNSSEC is top-down (The root zone verifies the .com zone, and the .com zone verifies the cloudflare.com zone, and so forth), enabling DNSSEC requires a website owner to update the DS record with you, the registrar.

This part is problematic—copying and pasting the DS record opens up the possibility of human error, and adds a layer of complexity for less-savvy users. We want to make DNSSEC as easy to deploy as possible.

If Cloudflare could communicate directly with the registrar or registry, we could activate DNSSEC for every website on Cloudflare automatically and manage their keys without human intervention.

As part of our DNSSEC rollout, we published an Internet Draft alongside CIRA, the .ca registry, proposing a protocol for DNS operators like Cloudflare to do just that: communicate with registrars and registries to automate DNSSEC management.

dnssec logo

Join Us and Make DNSSEC More Accessible for Everybody

Several registries are already planning on adding support, such as NIC Chile (.cl) and eNIC (.ee). If you work for a registrar or registry and are interested in learning more, getting involved in developing the protocol, or adding an integration with Cloudflare, get in touch by emailing dnssec-integration@cloudflare.com

Setting Up Cloudflare Is Easy



Set up a domain in less than 5 minutes. Keep your hosting provider. No code changes required.


Trusted by millions of Internet properties

Logo doordash trusted by gray
Logo garmin trusted by gray
Logo 23andme trusted by gray
Logo lending tree trusted by gray
NCR logo
Thomson Reuters logo
Logo zendesk trusted by gray