DNSSEC (Domain Name System Security Extensions) adds an extra level of security to your domain name. It ensures DNS records served publicly are authentic and reduces the risk of DNS-related attacks. This guide explains how to enable and use DNSSEC with your domain name on WordPress.com.
DNSSEC is supported for all domain names registered on WordPress.com from 2017 onwards, as long as the domain name uses WordPress.com name servers.
To activate DNSSEC for your WordPress.com domain name, take these steps:
- Visit your Sites page at https://wordpress.com/sites.
- On the left, click on “Domains“ to view a list of all your domain names.
- Click on the domain name for which you want to enable DNSSEC.
- On the domain name settings page, click on the DNSSEC panel to expand it.
- Click on the toggle button labeled “DNSSEC disabled” to enable DNSSEC. With DNSSEC enabled, the panel will show the DNSKEY and Delegation Signer (DS) records.
- Conversely, click on the “DNSSEC enabled” toggle to disable DNSSEC.
WordPress.com cannot enable DNSSEC on domain names registered with another registrar. However, you can transfer your domain name registration to WordPress.com and enable DNSSEC using the setting above.
When connecting a domain name to WordPress.com from another registrar, you may need to take additional steps if your registrar has enabled DNSSEC.
If your domain name is registered with another provider, follow these steps to check the DNSSEC status of your domain name:
- Visit Google’s Public DNS Checker.
- Type your domain name in the search field.
- Look for the line in the output that starts with
"AD":, which stands for “Authenticated Data.”- If DNSSEC is active and validated, you will see a line in the output of
"AD": true,. - If DNSSEC is not active, you will see
"AD": false,.
- If DNSSEC is active and validated, you will see a line in the output of
To use name servers (recommended method) to connect your domain name to WordPress.com, you must disable DNSSEC before you update your DNS to point to WordPress.com.
Your domain name’s free SSL will be provisioned only after you disable DNSSEC using these steps:
- Log into your domain registrar or existing DNS management system.
- Locate and turn off DNSSEC; the steps vary, so contact your DNS provider for assistance if needed.
- Complete the domain name connection process on WordPress.com as normal.
If you have already updated your name servers to point to WordPress.com, you need to change them back to your previous DNS provider to turn DNSSEC off and then switch them back to WordPress.com.
All DNS changes can take up to 48 hours to propagate fully. Allow time for the changes to take effect.
If you use A Records (alternate method) to connect your domain name to WordPress.com, you do not need to turn off DNSSEC to connect your domain name. The domain name’s free SSL will be provisioned normally.
