WebsiteScanner.ai
SECURITY AUDITS
DNS and Infrastructure · 7 min read

DNSSEC explained, and how to turn it on at popular Australian registrars

Your scanner says DNSSEC is not enabled. Here is what that actually means for your domain, why it matters, and how to flip it on at GoDaddy, Crazy Domains, Cloudflare, and Synergy Wholesale.

A
Andre Reis

DNSSEC stands for Domain Name System Security Extensions. If your scan flagged it as not enabled, that means anyone on the path between a customer and your website can theoretically swap your DNS responses for fake ones, sending visitors to a phishing site instead of yours. DNSSEC is the protocol that stops that. It signs every DNS response with cryptographic proof that the answer came from the real owner of your domain.

It takes about ten minutes to enable, costs nothing, and removes one of the oldest classes of web attack. This article explains what DNSSEC does, why most domains still don't have it on, and the exact steps to turn it on at the registrars Australian small businesses tend to use.

Why DNS without DNSSEC is risky

When a customer types yourbusiness.com.au into a browser, their computer asks a chain of DNS servers "what is the IP address for this name?" and trusts whatever answer comes back. Without DNSSEC, that trust depends entirely on the name servers behaving honestly and the network in between not being tampered with.

Two real attack patterns exploit this:

  1. DNS cache poisoning: an attacker tricks a public DNS resolver (the kind your ISP runs) into caching a fake answer for your domain. Every customer of that ISP then gets the fake IP. They land on a clone of your site with a stolen logo asking for credit card details.
  2. Local network attacks: on hotel and cafe Wi-Fi, an attacker on the same network can intercept DNS queries from anyone using that network and inject false responses. Customers checking their email on the way to a meeting are the typical victims.

Both attacks are old, both still work against domains without DNSSEC, and both have been used against Australian businesses. The 2008 Kaminsky bug made the cache poisoning version famous. It is still the textbook reason DNSSEC exists.

What DNSSEC actually does

DNSSEC adds digital signatures to DNS responses. When a DNSSEC-aware resolver asks for your IP, the answer comes back signed with a cryptographic key. The resolver then verifies that signature against a public key published in your DNS. The public key is itself signed by your domain's parent zone (.com.au, in most cases), and that parent key is signed by the root DNS zone, which everyone trusts implicitly.

The result is a chain of trust from the root of the internet down to your domain. Any tampering anywhere along the way breaks a signature, and the resolver discards the answer. Your customers get an error instead of being silently redirected to an attacker's site.

For an Australian business, the practical effect is:

  • Customer DNS lookups for your domain can no longer be tampered with on the way back.
  • Receiving mail servers verifying your SPF, DKIM, or DMARC TXT records get authenticated answers, which slightly improves email deliverability.
  • You meet the implicit modern security baseline that the Australian Signals Directorate, the OAIC, and most enterprise procurement questionnaires now expect.

How to enable it (the three steps)

Enabling DNSSEC always involves the same three pieces, even though the click paths differ between providers.

Step 1: figure out where your DNS actually lives

Your DNS provider is whoever runs the name servers your domain points at. It is often, but not always, the same as your registrar. Common splits:

  • Domain bought at GoDaddy, but DNS hosted at Cloudflare. DNS provider is Cloudflare.
  • Domain bought at Crazy Domains, DNS hosted at Crazy Domains. DNS provider is Crazy Domains.
  • Domain bought through a developer at Synergy Wholesale, DNS hosted at AWS Route 53. DNS provider is AWS.

Whichever it is, that is where step 2 happens.

Step 2: ask your DNS provider to sign the zone

This generates a Key Signing Key (KSK) and a Zone Signing Key (ZSK). Most modern DNS providers do this automatically with a single click. The signing key produces a small piece of data called a DS record. You don't generate the DS record by hand; the DNS provider gives it to you.

Step 3: publish the DS record at your registrar

The DS record (Delegation Signer) is what tells the parent zone (.com.au, .com, etc.) which key your DNS provider is using. It is published at the registrar, not at the DNS provider. This is the step that completes the chain of trust to the root.

Once the DS record propagates (usually 15 minutes to 24 hours), DNSSEC is fully active.

Step by step at common Australian registrars

GoDaddy

GoDaddy is by far the largest registrar with Australian small businesses. If GoDaddy hosts both your domain and your DNS, the DS record is auto-published when you enable DNSSEC.

  1. Sign in to GoDaddy.
  2. My Products, find your domain, DNS.
  3. Scroll to the Advanced features section.
  4. Click Manage next to DNSSEC.
  5. Click Add DNSSEC. GoDaddy generates and publishes everything automatically.

Wait 15 minutes, then verify (see "How to check it worked" below). If you use GoDaddy for the domain but Cloudflare or another DNS host, see the Cloudflare section instead.

Crazy Domains

Crazy Domains supports DNSSEC for .com.au, .net.au, .org.au, .com, and most other TLDs. Both the domain and DNS must be at Crazy Domains for the auto-enable path.

  1. Sign in to Crazy Domains.
  2. Manage the domain.
  3. Click the Advanced DNS tab.
  4. Look for the DNSSEC section.
  5. Toggle DNSSEC on. Confirm.

If your DNS is hosted elsewhere, Crazy Domains shows fields to enter the DS record manually. Get the DS record from your actual DNS provider and paste it here.

Cloudflare

Cloudflare is a DNS provider, not a registrar, for most Australian businesses. So you enable signing at Cloudflare and publish the DS record at your actual registrar (typically GoDaddy, Crazy Domains, or Synergy Wholesale).

  1. Sign in to Cloudflare.
  2. Select the domain, DNS, Settings.
  3. Scroll to DNSSEC and click Enable DNSSEC.
  4. Cloudflare displays the DS record values. Keep this tab open.
  5. In a separate tab, sign in to your registrar.
  6. Find the DNSSEC section for the domain.
  7. Add a new DS record with the values Cloudflare gave you.
  8. Save.

If your registrar is GoDaddy, the path is My Products, Domain, DNS, Manage DNSSEC, Add DS Record. The Key Tag, Algorithm, Digest Type, and Digest fields all map to the values Cloudflare displayed.

Synergy Wholesale

Synergy Wholesale is the wholesaler many Australian web developers use. End-customer access depends on what your developer set up. If you can sign in directly:

  1. Sign in to the Synergy Wholesale dashboard.
  2. Domains, click the domain.
  3. DNSSEC tab.
  4. Toggle Enabled.

If your developer manages it, ask them to enable DNSSEC and confirm the registrar shows a published DS record.

Netregistry

Netregistry's interface has changed several times. As of 2026 the path is:

  1. Sign in to the Netregistry control panel.
  2. Manage Domain for the domain.
  3. DNS Management, DNSSEC.
  4. Click Enable DNSSEC. The DS record auto-publishes if Netregistry also hosts your DNS.

If your DNS is at a third party, paste the DS record from that provider into the Netregistry DNSSEC form.

How to check it worked

The fastest verifier is dnssec-analyzer.verisignlabs.com. Paste your domain in. If everything is right, you'll see a chain of green checkmarks from the root down through .au and .com.au to your domain.

Equally good: our free scanner. The DNS section reports DNSSEC status as one of the first checks. After enabling, allow up to 24 hours for parent-zone propagation, then re-scan. The DNSSEC card should flip from "not enabled" to "enabled".

If it doesn't flip after 24 hours, the most common causes are:

  • The DS record at the registrar doesn't match the keys at the DNS provider. Re-copy them.
  • The DS record was published but you haven't pressed save or activate.
  • Your DNS provider doesn't sign your zone. Confirm step 2 above happened.

Why DNSSEC isn't on by default

DNSSEC adds a small operational burden. If your DNS provider's signing keys ever go out of sync with the DS records at your registrar, your domain stops resolving for everyone. The whole site goes dark. So providers default to off, leaving the choice to the customer.

The risk is real but manageable. As long as you don't migrate DNS providers without cleaning up the DS record at your registrar first, signing is set-and-forget. Modern providers also handle key rotation automatically.

The modern internet baseline expects DNSSEC. Australia's .gov.au zones require it. Most enterprise procurement security questionnaires ask for it. Your free-scan grade improves once you turn it on. There is essentially no good reason for a domain that takes payments or sends business email to leave it disabled in 2026.

Run the free scan

Run our free scanner on your domain and you'll see in the DNS and Threat Intel section whether DNSSEC is enabled, whether your registrar shows a valid DS record, and which step in the three-step chain (if any) is broken.

Free scan

Want to know if any of this applies to your domain?

Run a free 30-second scan to see what your website and email setup actually look like.

Run free scan →