DNSSEC
DNSSEC adds a layer of cryptographic verification to DNS so that visitors can trust the answers they receive for your domain. It is powerful, but it must be set up and torn down carefully — a mismatched record can take your domain completely offline.
What DNSSEC Is
DNSSEC (Domain Name System Security Extensions) cryptographically signs your DNS records. When a resolver looks up your domain, it can check the signatures to confirm the answer really came from your authoritative DNS and was not altered in transit.
This protects against DNS spoofing and cache-poisoning attacks, where an attacker tries to hand out forged DNS answers to send your visitors to a fake server. Without DNSSEC, a resolver has no way to tell a genuine answer from a forged one.
When You Need It
DNSSEC is optional for most sites. Consider enabling it when:
- You handle sensitive transactions or logins and want the extra assurance against DNS tampering.
- A compliance requirement or industry standard calls for signed DNS.
- Your registry or registrar requires it for a particular top-level domain.
If none of these apply, a standard DNS setup is perfectly fine. DNSSEC adds operational care that is only worth it when you need the protection.
How DNSSEC Works: DS and DNSKEY
DNSSEC relies on a chain of trust between your DNS provider and your domain's registrar:
- Your DNS provider signs the zone and generates a key pair, publishing the public key as a
DNSKEYrecord. - The provider gives you a DS (Delegation Signer) record — a short digest of that key.
- You publish the DS record at the domain's registrar, which passes it up to the registry for the top-level domain.
- Resolvers follow this chain from the registry down to your zone to verify every answer.
The key point: signing happens at the DNS provider, but the DS record is published at the registrar. Both halves must agree for DNSSEC to validate.
Enabling DNSSEC With Ultra DNS
If your domain uses Ultra Web Hosting's nameservers (see Nameservers), the general flow is:
- Enable DNSSEC signing for your zone on the Ultra side, which produces the DS/DNSKEY details.
- Copy the generated DS record values (key tag, algorithm, digest type, and digest).
- Log into your domain registrar and add that DS record to the domain.
- Allow time for the change to propagate, then verify validation with a DNSSEC checker.
If you are unsure where to retrieve the DS values for a domain hosted with us, open a support ticket and we will provide them.
Enabling DNSSEC With Cloudflare
If your DNS is managed at Cloudflare rather than on Ultra's nameservers, Cloudflare generates the DS record for you and you publish it at your registrar. The steps and Cloudflare-specific guidance live in our Cloudflare docs.
Whichever provider signs your zone, the rule is the same: enable signing at the DNS provider, then publish that provider's DS record at the registrar — never mix DS records from two different providers.
Disabling DNSSEC Safely
Because the DS record at the registrar is what enforces validation, you must remove it before you stop signing. Turning off signing first while the DS record is still published will break resolution immediately. The safe order is:
- Remove the DS record at the registrar first and wait for it to clear from the registry.
- Give it time to propagate so resolvers stop expecting signed answers.
- Then turn off DNSSEC signing at your DNS provider.
Follow this same order any time you migrate DNS providers: pull the old DS record down first, complete the move, and only publish a new DS record once the new provider is signing the zone.