DNSSEC (DNS Security Extensions) adds a layer of authentication to DNS by validating digital signatures across a chain of trust, from the DNS root to the specific record being requested. It protects against cache poisoning attacks, where an attacker redirects users to a malicious site even when a valid web address is entered.
â ī¸
DNSSEC does not encrypt traffic between the end user and the resolver. For confidentiality and integrity at that layer, use DNS over HTTPS (DoH) or DNS over TLS (DoT).
The DNSSEC Configuration dialog opens and shows the DS record details for the zone â copy the value in the DS record field.
Paste the DS record value into your domain registrar's control panel.
đĄ
If you are transferring a DNS zone from another provider, disable DNSSEC at the old provider first and wait for the DS record TTL to expire before enabling it here.
DS propagation can take up to an hour at most registrars, and up to 24 hours in some cases. The DNSSEC toggle remains OFF until CDB confirms the DS record at your registrar â once confirmed, the toggle switches to ON and the zone's DNSSEC status changes to active.
âšī¸
To view the DS record again after closing the dialog, click the DNSSEC toggle â the confirmation and DNSSEC Configuration dialogs reopen.
DNSSEC status lifecycle
After enabling DNSSEC, the zone moves through a lifecycle driven by what CDB observes at your domain registrar â not just by your request. CDB periodically scans the registrar for the DS record and updates the zone's DNSSEC status accordingly.
Status
Meaning
Action required
pending
DNSSEC is enabled, signing keys are generated, but CDB has not yet detected the DS record at the registrar.
Add the DS record CDB provided to your registrar.
active
A valid DS record is detected at the registrar. The chain of trust is established.
None â DNSSEC is working.
pending-disabled
Disable was requested, but a DS record is still published at the registrar.
Remove the DS record at the registrar to complete the process.
disabled
DNSSEC is off and no DS record is present.
None.
The transition from pending to active can take from a few minutes to several hours, depending on your registrar's propagation speed and the DS record's TTL. Once active, the status remains active â removing the DS record at the registrar does not automatically change it.
Disable DNSSEC
â ī¸
Remove the DS record from your registrar before disabling DNSSEC in CDB. If DNSSEC is disabled in CDB while the DS record is still published, resolvers will try to validate signatures that no longer exist, causing DNS resolution failures.
Remove the DS record from your domain registrar's control panel.
Wait for the DS record TTL to expire so cached records clear.
In the Customer Portal, turn off the DNSSEC toggle for the zone.
The DNS API supports enabling and disabling DNSSEC, retrieving DS records, checking zone status, and verifying DS propagation at the registrar. The Python and Go SDKs cover enable, get DS record, and disable operations.
âšī¸
An API token is required. Set these environment variables before running the examples:
Enabling DNSSEC generates signing keys for the zone and returns the DS (Delegation Signer) record â the ds field in the response contains the complete DS record string to add at your registrar.
Copy the ds field value from the response and add it to your registrar's control panel. The zone enters the pending state until CDB detects the DS record at your registrar, which can take from a few minutes to several hours.
Get DS record
To retrieve the DS record for a zone that already has DNSSEC enabled:
The zone response includes two fields that reflect the current DNSSEC state, updated by CDB's periodic scan of your registrar:
dnssec_status â the current lifecycle state: pending, active, pending-disabled, or disabled
dnssec_status_modified_on â RFC 3339 timestamp of the last status change
Both fields are absent from the response if DNSSEC has never been enabled on the zone. A missing field is not an error â it means the zone has no DNSSEC history.
Status
Meaning
pending
DNSSEC enabled, keys generated, DS record not yet detected at the registrar
active
DS record detected at the registrar â chain of trust established
pending-disabled
Disable requested, DS record still present at the registrar
disabled
DNSSEC off, no DS record present
The transition from pending to active can take from a few minutes to several hours, depending on your registrar's propagation speed and the DS record's TTL. Once active, the status remains active â removing the DS record at the registrar does not automatically change it. To turn DNSSEC off, use the disable endpoint.
To check the current status, fetch the zone and inspect the dnssec_status field:
dnssec_status is distinct from the top-level status field â status reflects zone delegation to CDB nameservers, while dnssec_status reflects the DNSSEC lifecycle.
Check DS record at registrar
To verify whether a valid DS record is currently detected at the registrar, use the parent-ds endpoint:
If a DS record is still published at the registrar when the request is sent, the API returns 409 Conflict. This protects against breaking DNS validation â resolvers reject responses if the DS record points to keys that no longer exist.
To proceed despite the active DS record, pass force_disable: true in the request body. The zone moves to pending-disabled immediately and transitions to disabled once the DS record is removed at the registrar:
After disabling, wait for the DS record TTL to expire before considering the transition complete â cached records at upstream resolvers remain valid until the TTL passes.