Overview
DNSSEC adds an extra layer of security to your domain by preventing DNS spoofing, cache poisoning, and unauthorized DNS modifications. It works by digitally signing your DNS zone, allowing the resolver to verify that DNS responses are authentic.
Important
- DNSSEC can only be enabled if your DNS provider supports it.
- Many registrars and DNS platforms (Cloudflare, some WHMCS registrars) support DNSSEC.
- If your domain uses VexoWeb nameservers, DNSSEC support depends on the registry and our integration with it.
Step 1 – Check your current DNS provider
DNSSEC must be configured where your DNS zone is hosted. This may be:
- VexoWeb DNS (default nameservers)
- Cloudflare DNS
- Another external DNS platform
Step 2 – Get DNSSEC DS records from your DNS platform
You must generate DS records in your DNS provider’s control panel. These usually include:
- Key Tag
- Algorithm
- Digest Type
- Digest
Examples:
Key Tag: 2371 Algorithm: 13 Digest Type: 2 Digest: 3A1FDB67C45EE4B... (long string)
Step 3 – Add DS records to your domain in WHMCS
- Log in at billing.vexoweb.com.
- Click Domains.
- Select your domain.
- Look for 'DNSSEC Management' (or 'Manage DNSSEC').
- Click Add DS Record.
- Enter the values from your DNS provider.
- Save the changes.
Step 4 – Wait for DNS propagation
DNSSEC activation may take several minutes to several hours, depending on the registry.
How to verify DNSSEC
- Use https://dnssec-analyzer.verisignlabs.com/
- Or check on https://dnschecker.org
DNSSEC limitations
- Not all TLDs support DNSSEC.
- Some DNS providers require specific algorithm types.
- Changing nameservers disables DNSSEC until reconfigured.
Need help?
If you cannot find DNSSEC options in your domain panel, open a support ticket — we will check if your TLD and registrar support DNSSEC.
