Enable DNSSEC
As opposed to the normal process for enabling DNSSEC, DNSSEC with a subdomain setup requires a few additional steps.
To use DNSSEC for a subdomain setup, DNSSEC must be enabled on the parent zone.
Ideally, you should also wait 12 to 24 hours after enabling DNSSEC on the parent zone to ensure DNS resolvers provide the same DNS query responses.
- 
Create the child zone. 
- 
Make sure the child zone is active on Cloudflare and that DNS resolution is working properly for your subdomain. 
- 
Enable DNSSEC for the child zone and save the information provided within the DS record output. 
- 
In the DNS > Records settings of the parent zone, add the DS record from the previous step.  
- 
Add an A record to the child zone to validate DNS resolution. 
- 
Wait two to six hours. Then, test the A record added in the previous step using multiple DNS resolvers with DNSSEC validation ( 1.1.1.1,8.8.8.8, and9.9.9.9). For example, if the A record is fortest.child.example.com:dig test.child.example.com +dnssec @1.1.1.1.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark