Home / Tools / Enable DNSSEC to cryptographically protect your DNS records
DNS Security · Scan Check Guide

Enable DNSSEC to cryptographically protect your DNS records

30 min Impact: high Effort: low ✓ Scan-verified — no manual checkbox

DNSSEC adds a cryptographic signature to your DNS records, so a resolver can verify the DNS answer it received actually came from you and wasn't tampered with in transit — without it, DNS spoofing (redirecting your domain's traffic to an attacker's server at the DNS level) is undetectable to the end user.

Without DNSSEC, attackers can intercept DNS queries and redirect your domain to a malicious server — even with HTTPS. DNSSEC cryptographically signs your DNS records.

How to fix it

  1. 1
    Check if your registrar and DNS host support DNSSEC
    Most major registrars (Cloudflare, Namecheap, Google Domains successors) support it — check your specific provider's settings.
  2. 2
    Enable DNSSEC signing at your DNS host
    This is usually a toggle in your DNS provider's dashboard — they handle the key generation and signing automatically.
  3. 3
    Add the DS record at your registrar
    Your DNS host will give you a DS record to add at your domain registrar (which may be a different company) — this is the step people most often miss, since it requires two different accounts.
  4. 4
    Verify propagation
    DNSSEC validation can take 24-48 hours to propagate fully — check back the next day if it doesn't validate immediately.

Common mistakes

How you'll know it's done

DNSSEC validates successfully when checked against your domain — most DNS host dashboards show a clear validated/not-validated status.

Tools that help

H.I.V.E. checks this automatically

Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.

Run this check in H.I.V.E. →