While using Cloudflare daily, I found the free DNSSEC under DNS was not enabled. How can that be? Let’s first see what DNSSEC is.
Domain Name System Security Extensions (DNSSEC) add reliable digital signatures to domain name DNS to verify the source domain and help prevent attacks such as cache poisoning, domain spoofing, and interception. So of course, this should be enabled for the domain bobobk.com.
Enabling DNSSEC mainly involves two parts:
The first part is enabling DNSSEC on Cloudflare to obtain the DS record information that needs to be set.
The second part is adding the DS record information provided by Cloudflare to the domain registrar.
Step 1: Enable DNSSEC on Cloudflare
Open the DNS settings, find DNSSEC, and enable it.
Step 2: Add DS Record in Domain Registrar
Since the domain was purchased on Aliyun, add the record there. If using other registrars, refer to Cloudflare support for detailed instructions.
First, log into the Aliyun console, find your domain, and go to management.
Add the DS record. The following settings appear:
The first three items correspond exactly to the ones in Cloudflare shown in my picture:
- “Key Tag” corresponds to Cloudflare’s “Key Tag”
- “Algorithm” corresponds to Cloudflare’s “Algorithm”
- “Digest Type” corresponds to Cloudflare’s “Digest Type”
- “Digest” corresponds to Cloudflare’s “Digest”
After setting accordingly, you can proceed.
The values are like 2371, 13…256, 2-sha-256, you only need to copy and paste the Digest value from Cloudflare.
After setup, it will take effect within 10 minutes.
You can check whether DNSSEC is enabled using https://dnssec-analyzer.verisignlabs.com.

