Cloudflare DNSSEC migration guide
This guide helps teams plan DNSSEC migration to Cloudflare by reviewing current DS records, Cloudflare DNSSEC settings, registrar coordination, validation timing, rollback considerations, and post-cutover DNSSEC checks.
This guide helps teams plan DNSSEC migration to Cloudflare by reviewing current DS records, Cloudflare DNSSEC settings, registrar coordination, validation timing, rollback considerations, and post-cutover DNSSEC checks.
Topics: cloudflare, resource, cloudflare, dnssec, migration, guide
Machine-readable context: /ai-index.json
Step by step
Implementation steps
- 1
Inventory current DNSSEC state: which zones are signed, the active DS records at the registrar, the algorithms in use, and which resolvers are validating.
- 2
Decide the signing model — let Cloudflare sign the zone (Cloudflare-managed DNSSEC) once the zone is fully on Cloudflare authoritative DNS.
- 3
If a zone is already signed elsewhere, plan the unsigned transition window: remove the old DS record at the registrar and wait for the DS/DNSKEY TTL to expire before re-signing.
- 4
Migrate the zone to Cloudflare DNS first and confirm records resolve correctly with DNSSEC still disabled.
- 5
Enable DNSSEC in Cloudflare, copy the generated DS record, and submit it to the domain registrar for the parent zone.
- 6
Validate the chain of trust with a DNSSEC analyzer and multiple validating resolvers before announcing completion.
- 7
Document rollback: how to remove the DS record and disable signing if validation failures appear.
Risk register
Risks to control
Re-signing before the old DS record and keys expire causes validation failures (SERVFAIL).
Always pass through a clean unsigned window sized to the longest DS/DNSKEY TTL before enabling Cloudflare DNSSEC.
The DS record is submitted to the registrar with the wrong algorithm, key tag, or digest.
Copy the exact DS record Cloudflare generates and confirm the registrar stores the matching key tag, algorithm, and digest type.
The registrar is slow to propagate DS changes, leaving a broken chain of trust.
Confirm registrar DS-update support and timing up front; some TLDs and registrars require manual or delayed DS changes.
Split-horizon or multi-provider DNS breaks under a single-signer model.
Identify any external DNS providers answering for the same zone and consolidate authority on Cloudflare before enabling DNSSEC.
Validating resolvers cache a failure during the transition.
Lower DS/DNSKEY TTLs ahead of time and monitor validation across several public resolvers after the change.
Output
Useful deliverables
- DNSSEC current-state inventory: signed zones, registrar DS records, algorithms, and validating dependencies.
- Per-zone transition plan with the unsigned-window timing.
- Cloudflare DNSSEC enablement steps and the generated DS record per zone.
- Registrar submission checklist verifying key tag, algorithm, and digest.
- Validation report from a DNSSEC analyzer and multiple validating resolvers.
- Rollback procedure for disabling signing and removing DS records.
Keep reading
Related resources
FAQ
Frequently asked questions
Common questions teams ask when putting this resource into practice.
Does enabling Cloudflare DNSSEC cause downtime?
Not on its own. Downtime risk comes from a broken chain of trust — for example re-signing before old keys expire, or submitting an incorrect DS record. A clean unsigned window and DS verification avoid it.
Can DNSSEC stay enabled while migrating from another DNS provider?
No. You remove DNSSEC at the previous provider, pass through an unsigned window sized to the DS/DNSKEY TTL, complete the move to Cloudflare authoritative DNS, then re-enable signing on Cloudflare and submit the new DS record.
Where does the DS record go?
Cloudflare generates the DS and DNSKEY records; you submit the DS record to your domain registrar, which publishes it in the parent TLD zone to complete the chain of trust.
How do I confirm DNSSEC is working after the change?
Validate the chain with a DNSSEC analyzer and query through multiple validating resolvers, checking for the Authenticated Data (AD) flag and the absence of SERVFAIL responses.
Nanosek
Plan DNSSEC migration
Nanosek can turn this resource into a practical delivery plan for your environment — with rollback planning, stakeholder alignment, and 24/7 managed operations support.