How to request DS record through Azure for DNSSEC setup

Question

How to request DS record through Azure for DNSSEC setup

Joe K 0

When I have a Public DNS Zone hosted in Azure, for a domain that was also registered through Azure, how do I set up DNSSEC for that domain? Specifically, I need to how to request, through Azure, that a DS record be created for my domain in the parent zone (in this case the com TLD)

Joe K 0 Reputation points

2026-02-19T12:15:46.42+00:00

Not sure how to take this conversation private, but I'm happy to elaborate here, just to confirm. We have a relatively high (20+ and expected to rise) number of domains in use on our platform. The name registrations, DNS zones and integration with apps and services are all managed using bicep templates and deployment automation. I understand that I can use an external registrar and still maintain most of our current set up, however, having external dependencies outside of this management chain is obviously less than ideal, especially in volume. Aside from getting these domains transferred, there would be required ongoing maintenance and oversight with a separate vendor.

So, just to confirm, the official recommendation from Microsoft with respect to their product (App Service Domain / Microsoft.DomainRegistration/domains) is that it cannot be used in a secure configuration (with DNSSEC enabled), there is no workaround for enabling DNSSEC, and there is no timeline or roadmap for addressing this issue; rather the recommendation to use a different vendor, is that correct?
TP 155.2K Reputation points Volunteer Moderator

2026-02-19T13:46:53.6666667+00:00

@Joe K The is a Private messages link below your question. Please click that.
Vallepu Venkateswarlu 6,830 Reputation points Microsoft External Staff Moderator

2026-02-19T18:35:36.22+00:00

Hi @ Joe Klecha,

Thank you for the clarification.

To confirm based on current Microsoft documentation:

App Service Domain (Microsoft.DomainRegistration/domains) does not support DNSSEC because it does not allow publication of a DS record in the parent zone. This is a documented product limitation.

There is currently no supported method, API, or support process to enable DNSSEC for domains registered through App Service Domain. Therefore, DNSSEC cannot be enabled for those domains.

This does not mean that App Service Domain cannot be used securely, it can still support HTTPS, TLS certificates, and other security controls. However, DNSSEC chain-of-trust cannot be established under the current product capabilities.

At this time, there is no publicly published roadmap indicating planned DNSSEC support for App Service Domain.

If this capability is important at scale, the appropriate channel would be to submit feedback through Azure Feedback using the link: App Domain Services should support Azure DNSSEC

I hope this information helps resolve your issue. Please feel free to ask if the provided solution does not help or if you have any additional questions.

Please "upvote" if the information helped you. This will help us and others in the community as well.

2 answers

Your answer

Joe K 0 Reputation points

2026-02-19T12:15:46.42+00:00

Not sure how to take this conversation private, but I'm happy to elaborate here, just to confirm. We have a relatively high (20+ and expected to rise) number of domains in use on our platform. The name registrations, DNS zones and integration with apps and services are all managed using bicep templates and deployment automation. I understand that I can use an external registrar and still maintain most of our current set up, however, having external dependencies outside of this management chain is obviously less than ideal, especially in volume. Aside from getting these domains transferred, there would be required ongoing maintenance and oversight with a separate vendor.

So, just to confirm, the official recommendation from Microsoft with respect to their product (App Service Domain / Microsoft.DomainRegistration/domains) is that it cannot be used in a secure configuration (with DNSSEC enabled), there is no workaround for enabling DNSSEC, and there is no timeline or roadmap for addressing this issue; rather the recommendation to use a different vendor, is that correct?
TP 155.2K Reputation points Volunteer Moderator

2026-02-19T13:46:53.6666667+00:00

@Joe K The is a Private messages link below your question. Please click that.
Vallepu Venkateswarlu 6,830 Reputation points Microsoft External Staff Moderator

2026-02-19T18:35:36.22+00:00

Hi @ Joe Klecha,

Thank you for the clarification.

To confirm based on current Microsoft documentation:

App Service Domain (Microsoft.DomainRegistration/domains) does not support DNSSEC because it does not allow publication of a DS record in the parent zone. This is a documented product limitation.

There is currently no supported method, API, or support process to enable DNSSEC for domains registered through App Service Domain. Therefore, DNSSEC cannot be enabled for those domains.

This does not mean that App Service Domain cannot be used securely, it can still support HTTPS, TLS certificates, and other security controls. However, DNSSEC chain-of-trust cannot be established under the current product capabilities.

At this time, there is no publicly published roadmap indicating planned DNSSEC support for App Service Domain.

If this capability is important at scale, the appropriate channel would be to submit feedback through Azure Feedback using the link: App Domain Services should support Azure DNSSEC

I hope this information helps resolve your issue. Please feel free to ask if the provided solution does not help or if you have any additional questions.

Please "upvote" if the information helped you. This will help us and others in the community as well.

Answer 1

Hi @ Joe Klecha,

Welcome to Microsoft Q&A Platform. User's image

App Service Domain (Microsoft.DomainRegistration/domains) does not support DNSSEC because it does not allow publication of a DS record in the parent zone. This is a documented product limitation.

If your domain was registered through Azure App Service Domain, then:

You cannot enable DNSSEC
You cannot publish a DS record in the parent zone (.com)

There is currently no supported method, API, or support process to enable DNSSEC for domains registered through App Service Domain. Therefore, DNSSEC cannot be enabled for those domains.

This does not mean that App Service Domain cannot be used securely, it can still support HTTPS, TLS certificates, and other security controls. However, DNSSEC chain-of-trust cannot be established under the current product capabilities.

At this time, there is no publicly published roadmap indicating planned DNSSEC support for App Service Domain.

If this capability is important at scale, the appropriate channel would be to submit feedback through Azure Feedback using the link: App Domain Services should support Azure DNSSEC

Ref: How to sign your Azure Public DNS zone with DNSSEC

If the solution is not helpful, please share the required details so we can connect on a Teams call and troubleshoot the issue together.

Pleaseand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.*

Answer 2

TP 155.2K Volunteer Moderator

Hi Joe,

How long has it been since you registered the App Service Domain? If it has been over 60 days, I strongly recommend you transfer the domain away from Azure (GoDaddy/Wild West Domains) to a domain registrar. Often the transfer completes in less than a week and then you will have full ability to add DS record.

I no longer recommend App Service Domain to people due to all the issues and limitations (no ability to do DNSSEC is just one limitation).

To transfer to different registrar you will need authorization code. You may open Azure Cloud Shell (PowerShell mode) and execute command similar to below from App Service team blog (replace subscription id, resource group, domain name):

Invoke-AzRestMethod -Path "/subscriptions/<SUBSCRIPTION-ID>/resourceGroups/<RESOURCE-GROUP-NAME>/providers/Microsoft.DomainRegistration/domains/<DOMAIN-NAME>/transferout?api-version=2021-02-01" -Method PUT

In the output from the command, you need authCode, which is what you will provide the new domain registrar when requesting transfer in.

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP

Joe K 0 Reputation points

2026-02-18T22:28:13.8866667+00:00

The domains have been registered in just the past couple weeks. The decision was made to register the domains through Azure to have full control over the public DNS zone recordsets to manage integration with our app services using deployment automation.
TP 155.2K Reputation points Volunteer Moderator

2026-02-18T22:43:14.81+00:00

Okay, you can't transfer out since it hasn't been 60 days yet. Please note you can still use Azure DNS with the domain registered at a domain registrar (instead of Azure). You would create the DS for the apex at the registrar and the other records in Azure DNS.

<removed previous text suggesting support case>

I still strongly recommend transferring your domains out as soon as 60 days has elapsed. You will avoid a lot of issues and the domains will work well with Azure services that support custom domains.
TP 155.2K Reputation points Volunteer Moderator

2026-02-19T13:24:18.72+00:00
Joe,

I read your comment above regarding bicep automation you have in place, so I can understand why you would want to stick with App Service Domains (ASD).

If lack of DNSSEC was the only issue (and you were okay not having it), I would say go ahead and stick with ASD. The thing is, over and over people have had serious issues with ASD, causing downtime, and it can take an extended amount of time to get the issue resolved.

It's important to understand Azure is not a domain registrar. They are a reseller, but only surface small amount of needed domain-registrar functionality.

Some key points:

No ability to modify name servers. This is a blocker if you want to use Cloudflare or other similar provider. Some people have had name servers changed to GoDaddy defaults, thus breaking all functionality (websites down). Other people mistakenly delete their Azure DNS zone and have no way to fix their mistake themselves. Support required.

Renewal failures. Some people have had issues with renewals or they miss renewal deadline, and if this happens they have no way to fix their mistake. Support required.

Multi-year renewals. It is normal when using registrar to be able to easily renew for multiple years if desired, or manually renew for additional year on demand, but with ASD you can't do either.

No ability to use DNSSEC. You can't create necessary DS record for the apex domain.

Reduced support. With most domain registrars, in the rare event you have an issue you can contact them using chat/email/phone and their support will help you for free. The support personnel typically deal with domain issues all the time and as such are knowledgeable. With App Service Domains you need to have a paid Azure support plan. Also keep in mind things that you would normally be able to handle yourself in the registrar's portal (or via API call) will require you to contact Azure support.

Features removed. Some of the above used to be possible. For example, you used to be able to access GoDaddy Domain Control Center (DCC) from Azure portal, but they removed that capability years ago. After that, I developed powershell script that would use REST API to give you access to DCC, but about mid-2024 they removed the required API.

Purchase blocked. Some people go to purchase App Service Domain, with account in good standing, purchased one before even, but are blocked. They need to submit quota support request (this is free) and wait for response.

The above isn't complete list.

Share via

How to request DS record through Azure for DNSSEC setup

2 answers

Your answer