DNSSEC (Domain Name System Security Extensions) is a suite of protocols that add a layer of security to the DNS by digitally signing DNS records. It allows a DNS resolver to verify that the response it receives is authentic — it came from the authoritative name server and has not been modified in transit.

What Problem DNSSEC Solves

Standard DNS has no authentication. An attacker performing DNS cache poisoning can inject a forged DNS response, redirecting users to a malicious server even though they typed the correct domain. DNSSEC adds digital signatures to records, so any tampering breaks the signature and the resolver can reject the forged response.

How DNSSEC Works

  1. The zone owner creates a cryptographic key pair (ZSK — Zone Signing Key).
  2. All DNS records in the zone are signed with the private ZSK.
  3. A second key pair (KSK — Key Signing Key) signs the ZSK, creating a chain of trust.
  4. The KSK's fingerprint (DS record) is published in the parent zone (e.g., the .com registry).
  5. When a resolver queries a DNSSEC-signed domain, it receives the signature alongside the record.
  6. The resolver validates the signature against the public key, confirming authenticity.

DNSSEC Does Not Encrypt DNS Queries

This is a common misconception. DNSSEC signs records for integrity verification but does not encrypt queries. Anyone on the network can still see which domains you are resolving. For query privacy, you need DNS over HTTPS (DoH) or DNS over TLS (DoT) — in addition to, not instead of, DNSSEC.

DNSSEC Adoption

As of 2024, roughly 90% of TLDs support DNSSEC, but fewer than 25% of individual domains have it enabled. Large registrars like Cloudflare and Amazon Route 53 support DNSSEC but require the domain owner to enable and configure it.

People Also Ask

Should I enable DNSSEC on my domain?
Yes, if your registrar and DNS host both support it. It protects your users from cache poisoning attacks that could redirect them to phishing sites. The setup process involves generating keys in your DNS host and publishing a DS record at your registrar — most modern platforms automate this.
Does DNSSEC protect against all DNS attacks?
No. DNSSEC protects against data tampering and forgery in the resolution chain. It does not protect against DDoS attacks on DNS infrastructure, DNS over HTTPS interception, or compromised authoritative name servers.

Related: DNS cache poisoning | DNS over HTTPS | DNS Lookup