DNSSEC

DNS Security Extensions (DNSSEC) adds an extra layer of authentication to DNS, ensuring requests are not routed to a spoofed domain.

For additional background on DNSSEC, visit the Cloudflare Learning Center ↗.

---

DNSSECの無効化

If you are onboarding an existing domain to Cloudflare, make sure DNSSEC is disabled at your registrar (where you purchased your domain name). Otherwise, your domain will experience connectivity errors when you change your nameservers.

Provider-specific instructions

This is not an exhaustive list of how to update DS records in other providers, but the following links may be helpful:

• DNSimple ↗
• Domaindiscount24 ↗
• DreamHost ↗
• Dynadot ↗
• Enom ↗
• Gandi ↗
• GoDaddy ↗
• Hostinger ↗
• Hover ↗
• InMotion Hosting ↗
• INWX ↗
• Joker.com ↗
• Name.com ↗
• Namecheap ↗
• NameISP ↗
• Namesilo ↗
• OVH ↗
• Squarespace ↗
• Registro.br ↗
• Porkbun ↗ (do not fill out keyData)
• TransIP ↗

Why you have to disable DNSSEC

When your domain has DNSSEC enabled ↗, your DNS provider digitally signs all your DNS records. This action prevents anyone else from issuing false DNS records on your behalf and redirecting traffic intended for your domain.

However, having a single set of signed records also prevents Cloudflare from issuing new DNS records on your behalf (which is part of using Cloudflare for your authoritative nameservers). So if you change your nameservers without disabling DNSSEC, DNSSEC will prevent Cloudflare’s DNS records from resolving properly.

ノート

If your previous provider allows you to add DNSKEY records on the zone apex and use these records in responses to DNS queries, refer to this migration tutorial to learn how to migrate a zone with DNSSEC enabled.

---

DNSSECの有効化

DNSSECを有効にすると、Cloudflareはあなたのゾーンに署名し、公開署名鍵を公開し、DSレコードを生成します。

ステップ1 - CloudflareでDNSSECを有効化

1. Log in to the Cloudflare dashboard ↗ and select your account and domain.
2. Go to DNS > Settings.
3. For DNSSEC, click Enable DNSSEC.
4. In the dialog, you have access to several necessary values to help you create a DS record at your registrar. Once you close the dialog, you can access this information by clicking DS record on the DNSSEC card.

ステップ2 - レジストラにDSレコードを追加

Add the DS record to your registrar. If Algorithm 13 - Cloudflare’s preferred cipher choice - is not listed by your registrar, it may also be called ECDSA Curve P-256 with SHA-256.

Provider-specific instructions

This is not an exhaustive list of how to update DS records in other providers, but the following links may be helpful:

• DNSimple ↗
• Domaindiscount24 ↗
• DreamHost ↗
• Dynadot ↗
• Enom ↗
• Gandi ↗
• GoDaddy ↗
• Hostinger ↗
• Hover ↗
• InMotion Hosting ↗
• INWX ↗
• Joker.com ↗
• Name.com ↗
• Namecheap ↗
• NameISP ↗
• Namesilo ↗
• OVH ↗
• Squarespace ↗
• Registro.br ↗
• Porkbun ↗ (do not fill out keyData)
• TransIP ↗

Note:

Cloudflare automatically adds DS records for domains using Cloudflare Registrar or those using .ch and .cz top-level domains.

---

その他のDNSSEC設定オプション

CloudflareをセカンダリDNSプロバイダーとして使用しており、セカンダリゾーンでDNSSECを設定したい場合は、設定に応じて3つのオプションがあります。

サブドメインゾーンでDNSSECを設定したい場合は、サブドメインDNSSECを参照してください。

---

制限事項

レジストラがCloudflareの推奨暗号選択（アルゴリズム13）でDNSSECをサポートしていない場合、いくつかのオプションがあります：

• レジストラに連絡して、最新の暗号化によるDNSSECを依頼する。
• アルゴリズム13でDNSSECをサポートしている別のレジストラにドメインを移管する。
• レジストラの不遵守を理由にICANNに苦情を申し立てる ↗。

トップレベルドメインがアルゴリズム13（ECDSA Curve P-256 with SHA-256としても知られる）でDNSSECをサポートしていない場合は、そのトップレベルドメインに連絡してください ↗。