DNSSEC on your .ca domain

DNSSEC (Domain Name System Security Extensions) adds a cryptographic signature to your domain's DNS responses so that visitors can verify the DNS answers they receive haven't been tampered with in transit. It's an optional layer of security for your domain. This article covers what DNSSEC does, whether you need it, and how to enable it on .ca domains registered with CanSpace.

What DNSSEC does

Normally when a visitor's computer asks "what IP address is yourdomain.ca?", the answer comes back in plaintext. A bad actor in between — at the ISP level, on public Wi-Fi, or at a compromised DNS resolver — can potentially intercept that response and send back a different answer, redirecting visitors to a malicious server. This is called DNS spoofing or cache poisoning.

DNSSEC prevents this by adding digital signatures to every DNS response. The signature is generated by your DNS server using a private key, and can be verified by anyone using the matching public key (which is published in the global DNS hierarchy). If a response has been tampered with, the signature won't match and DNSSEC-aware resolvers will reject the answer.

Do you need DNSSEC?

For most websites, DNSSEC is a nice-to-have rather than a must-have. It doesn't make your website more secure directly (it doesn't encrypt traffic — that's what SSL does) and it doesn't prevent phishing. What it does protect against is a narrow class of DNS-level attacks that, while real, aren't the most common threat.

Consider enabling DNSSEC if:

• You run a financial services, government, or healthcare site where trust and data integrity are critical.
• You've had DNS-related attacks in the past (e.g. domain hijacking attempts).
• Your site handles high-value transactions and you want the extra layer.
• You're applying for compliance certifications (some frameworks reference DNSSEC as a best practice).

You can safely skip DNSSEC if:

• You run a standard business website, blog, or marketing site.
• Your primary concerns are website security (HTTPS, strong passwords, plugin updates) rather than DNS security specifically.
• You're comfortable with the baseline DNS integrity that the global DNS system already provides.

How DNSSEC works at the registry level

DNSSEC involves two parts:

1. Your DNS server signs the zone. Whichever DNS provider hosts your domain's records (our servers, Cloudflare, Amazon Route 53, etc.) generates a pair of cryptographic keys and signs every DNS record in your zone with the private key.
2. The registry publishes a DS record. The registry for your TLD (CIRA for .ca, Verisign for .com) publishes a Delegation Signer (DS) record in the parent zone that anchors your domain's keys to the global trust chain. Without this DS record at the registry, DNSSEC-aware resolvers won't validate your signatures.

Because the registry-level DS record is what ties everything together, enabling DNSSEC is a two-party process: your DNS provider generates the signing keys, and the registrar (us, for domains registered with CanSpace) submits the DS record to the registry.

Enable DNSSEC on a .ca domain registered with CanSpace

If your DNS is hosted with CanSpace (on our shared hosting or DNS-only plans)

Open a support ticket and ask us to enable DNSSEC. We'll generate the signing keys on our end, submit the DS record to CIRA (the .ca registry), and confirm when it's active. Typical turnaround is a few minutes for the setup and up to 24 hours for CIRA to publish the DS record globally.

If your DNS is hosted externally (Cloudflare, AWS Route 53, your own server)

Your DNS provider needs to generate the signing keys first, then give you the DS record details. The steps depend on the provider:

• Cloudflare: in the Cloudflare dashboard, go to DNS → Settings, scroll to DNSSEC, click Enable DNSSEC. Cloudflare will show you the DS record details.
• Amazon Route 53: in the Route 53 console, select your hosted zone, go to DNSSEC signing, enable it. The console will show you the DS record.
• Your own BIND / PowerDNS server: follow the DNSSEC documentation for your DNS software to generate a Key Signing Key (KSK) and export the DS record.

Once you have the DS record details (you'll need: Key Tag, Algorithm, Digest Type, and Digest), open a support ticket with those four values. We'll submit them to CIRA on your behalf.

Other TLDs (.com, .net, .org, etc.)

The process for non-.ca domains is similar — your DNS provider generates the keys, you give us the DS record, we submit it to the registry. The difference is that some TLDs' registries take longer to propagate the DS record (.com and .net are usually fast, some smaller TLDs can take days). Open a ticket with your DS record details and we'll handle the submission.

Verify DNSSEC is active

After we've submitted the DS record and given the registry time to publish it (allow up to 24 hours), you can verify DNSSEC is working with:

• DNSViz — enter your domain, and it'll show a visual map of the DNSSEC chain. Everything green means it's working.
• Verisign DNSSEC Analyzer — similar, with a more detailed text-based report.
• From the command line: dig +dnssec yourdomain.ca should return records with an RRSIG (signature) entry, and the AD (Authenticated Data) flag should be set in the response header.

Disabling DNSSEC

If you want to remove DNSSEC later (for example, you're moving DNS providers and the new provider doesn't support it, or you've decided it's more operational overhead than you need), open a support ticket. We'll remove the DS record at the registry. Don't just change DNS providers without removing the DS record first — doing so can break DNS resolution for your domain until the DS record is removed and the change propagates.

Related articles

• How do I manage DNS entries?
• DNS record types explained
• DNS propagation

Ready to enable DNSSEC? Open a support ticket