Enable DNSSEC
As opposed to the normal process for enabling DNSSEC, DNSSEC with a subdomain setup requires a few additional steps.
To use DNSSEC for a subdomain setup, DNSSEC must be enabled on the parent zone. After enabling DNSSEC on the parent zone, you should wait the minimum TTL value (specified in the SOA record ↗ of the parent zone) to ensure DNS resolvers provide the same DNS query responses.
-
Create the child zone.
-
Make sure the child zone is active on Cloudflare and that DNS resolution is working properly for your subdomain.
-
Enable DNSSEC for the child zone and save the information provided within the DS record output.
-
On the DNS Records ↗ page of the parent zone, add the DS record from the previous step.
-
Add an A record to the child zone to validate DNS resolution.
-
Wait two to six hours. Then, test the A record added in the previous step using multiple DNS resolvers with DNSSEC validation (
1.1.1.1,8.8.8.8, and9.9.9.9). For example, if the A record is fortest.child.example.com:dig test.child.example.com +dnssec @1.1.1.1.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark