DNSSec All The Things – An Easy (and free) Way

DNSSec is a technology that adds a layer of protection so that domain names and websites like this one are more resistant to being hijacked by a spoofed domain. In this case it provides an additional layer of authentication to allow a DNS resolver to prove that the answers it got are valid and not tampered with. In this case, a validating DNS resolver will reject answers that are invalid or spoofed.

Unfortunately, DNSSec is one of those security technologies that can be challenging to manage, even for technical people. Many DNS providers offer to provide and manage it for an additional fee.

Some configurations, however, are simple and free to set up. In the case of this site, we front the site via CloudFlare and use GoDaddy as the registrar.

Even on the free plan we can enable DNSSec on CloudFlare. If you need help, they also provide comprehensive documentation on what to do for many registrars.

Enabling DNSSec with CloudFlare and GoDaddy

So lets enable DNSSec for this domain.

First we need to log on to the CloudFlare dashboard [1], select our domain and go to DNS > Settings. Here we see a button to enable DNSSec. It also points you to useful help.

We click on Enable DNSSEC and get the information we need for the registrar to add the DS record; which acts as the glue code between the top level domain (.com in our case) and this domain. Note that not all top level domains support DNSSec, but all the major ones do.

If you aren’t using Premium DNS, GoDaddy provide five free DNSSec credits to use on domains they manage, but as the DNS is delegated to CloudFlare we can just add the DS records without further cost. Here we log on to GoDaddy, go to the domain > DNS > Manage DNS > DS Records. We then fill out the form as required.

Once saved we will see the record in the portal.

CloudFlare then confirms that activation is pending whilst the DS record propagates to all the top level DNS servers.

Once this has completed we will see confirmation on the CloudFlare console.

We can also confirm all the parts involved are correctly configured via my go-to DNSSec validator – DNSViz [2]

It’s that simple. Now we are protected by DNSSec with CloudFlare managing all the complexities for us – and for free.


[1] https://dash.cloudflare.com/
[2] https://dnsviz.net/d/simulatedattack.com/dnssec/

Leave a Comment

Your email address will not be published. Required fields are marked *