In order for you to enable DNSSEC, both your registrar and registry (TLD) need to support DNSSEC with CloudFlare's preferred cipher choice, algorithm 13.
Although DNSSEC support is required by ICANN and algorithm 13 has been standardized for years, still some registrars and registries do not support it.
If your registrar does not support DNSSEC or DNSSEC with algorithm 13, you have a few options:
1.You can tweet or email your registrar and let them know it's time for them to support DNSSEC with modern encryption. Many registrars are waiting to add support until they see demand, so by reaching out, you are helping show them there is a need for DNSSEC with algorithm 13.
2. You can transfer your domain to a different registrar that does support DNSSEC with algorithm 13. We keep a short list here.
3. If you've exhausted all other options, you can also file a complaint with ICANN for your registrar's lack of compliance with ICANN policy here:
If your TLD does not support DNSSEC or DNSSEC for algorithm 13, you can do option 1 above. You can find the contact information for your registry here: https://www.iana.org/