DNSSEC (Domain Name System Security Extensions) adds an extra level of security to your domain. It ensures DNS records served publicly are authentic and reduces the risk of DNS-related attacks. This guide explains how to enable and use DNSSEC with your domain on WordPress.com.
In this guide
DNSSEC is supported for all domains registered on WordPress.com from 2017 onwards, as long as the domain uses WordPress.com name servers.
To activate DNSSEC for your WordPress.com domain, take these steps:
- Visit your Sites page at https://wordpress.com/sites.
- On the left, click on “Domains“ to view a list of all your domains.
- Click on the domain for which you want to enable DNSSEC.
- On the domain settings page, click on the DNSSEC panel to expand it.
- Click on the toggle button labeled “DNSSEC disabled” to enable DNSSEC. With DNSSEC enabled, the panel will show the DNSKEY and Delegation Signer (DS) records.
- Conversely, click on the “DNSSEC enabled” toggle to disable DNSSEC.
WordPress.com cannot enable DNSSEC on domains registered with another registrar. However, you can transfer your domain registration to WordPress.com and enable DNSSEC using the setting above.
When connecting a domain to WordPress.com from another registrar, you may need to take additional steps if your registrar has enabled DNSSEC.
If your domain is registered with another provider, follow these steps to check the DNSSEC status of your domain:
- Visit Google’s Public DNS Checker.
- Type your domain in the search field.
- Look for the line in the output that starts with
"AD":, which stands for “Authenticated Data.”- If DNSSEC is active and validated, you will see a line in the output of
"AD": true,. - If DNSSEC is not active, you will see
"AD": false,.
- If DNSSEC is active and validated, you will see a line in the output of
To use name servers (recommended method) to connect your domain to WordPress.com, you must disable DNSSEC before you update your DNS to point to WordPress.com.
Your domain’s free SSL will be provisioned only after you disable DNSSEC using these steps:
- Log into your domain registrar or existing DNS management system.
- Locate and turn off DNSSEC; the steps vary, so contact your DNS provider for assistance if needed.
- Complete the domain connection process on WordPress.com as normal.
If you have already updated your name servers to point to WordPress.com, you need to change them back to your previous DNS provider to turn DNSSEC off and then switch them back to WordPress.com.
All DNS changes can take up to 48 hours to propagate fully. Allow time for the changes to take effect.
If you use A Records (alternate method) to connect your domain to WordPress.com, you do not need to turn off DNSSEC to connect your domain. The domain’s free SSL will be provisioned normally.
