· 9 min read

DNSSEC Explained: What It Is and Why You Need It

DNS was designed in the 1980s with zero built-in security. DNSSEC fixes that — but adoption is still painfully low. Here's what DNSSEC actually does, how it works under the hood, and what happens when you get it wrong.

Here's an uncomfortable truth about the internet: when you type a URL into your browser, you're trusting a system that has no built-in way to verify it's giving you the right answer. The Domain Name System was designed in 1983 by Paul Mockapetris. It was brilliant for its time. It was also built on the assumption that every participant in the network could be trusted.

That assumption aged about as well as you'd expect.

DNS cache poisoning, man-in-the-middle attacks, spoofed responses — these aren't theoretical. In 2018, a DNS hijacking campaign called DNSpionage targeted government and telecom organizations across the Middle East, redirecting traffic through attacker-controlled servers to steal credentials. In 2020, researchers from Tsinghua University and UC Riverside demonstrated the SAD DNS attack, showing that cache poisoning was still viable against modern resolvers.

DNSSEC — DNS Security Extensions — was specifically designed to solve this class of problems. And yet, depending on which study you look at, somewhere between 5% and 30% of domains actually use it. Let's talk about why that gap exists, and whether DNSSEC belongs on your domains.

The problem DNSSEC solves

Standard DNS works on blind trust. Your computer asks a resolver "where is example.com?" and the resolver returns an IP address. Your computer has no way to verify that the answer is genuine. It can't tell the difference between a legitimate response from an authoritative nameserver and a forged packet injected by an attacker sitting between you and the resolver.

This opens the door to two major attacks:

Cache poisoning. An attacker floods a DNS resolver with forged responses, trying to get the resolver to cache a wrong answer. If they succeed, every user who queries that resolver gets sent to the attacker's server instead of the real one. The poisoned cache entry can persist for hours or days, depending on the TTL.

Man-in-the-middle interception. An attacker positioned on the network path between you and your DNS resolver intercepts the query and sends back a fake response before the real one arrives. Your computer accepts whichever answer shows up first.

In both cases, the victim has no idea anything is wrong. The browser shows the right domain name in the address bar. If the attacker also has an SSL certificate (which is increasingly easy to obtain), even the padlock icon looks normal.

DNSSEC makes these attacks effectively impossible by adding something DNS never had: cryptographic proof that a response is authentic.

How DNSSEC actually works

DNSSEC doesn't encrypt DNS traffic — that's a common misconception. It doesn't hide what you're looking up. What it does is sign DNS responses, so the recipient can verify they haven't been tampered with.

The mechanism relies on public-key cryptography, and it works in layers. Bear with me — this gets a bit technical, but understanding the chain of trust is important.

Zone signing keys and key signing keys

When DNSSEC is enabled for a domain, the DNS zone generates two key pairs:

  • The Zone Signing Key (ZSK) signs the actual DNS records. Every record set (A, MX, TXT, etc.) gets a digital signature stored in an RRSIG record. When a resolver receives a DNS answer, it can check the RRSIG against the ZSK to verify nothing was modified.
  • The Key Signing Key (KSK) signs the ZSK itself. This exists so you can rotate the ZSK regularly without updating the parent zone every time. The KSK changes less frequently.

Both keys are published as DNSKEY records in the domain's zone. Anyone can read them — they're public keys, after all.

The chain of trust

Here's where it gets clever. How does a resolver know it can trust the DNSKEY records themselves? What stops an attacker from forging those too?

The answer is delegation. The parent zone (say, .com) stores a DS (Delegation Signer) record that contains a hash of the child zone's KSK. So when a resolver wants to validate example.com, it:

  1. Gets the DNSKEY records from example.com
  2. Gets the DS record from .com
  3. Verifies that the hash in the DS record matches one of the DNSKEYs
  4. Uses that verified DNSKEY to check the RRSIG on the requested records

But then who vouches for .com? The root zone. And who vouches for the root zone? Nobody needs to — the root zone's keys are hardcoded into DNS resolvers. It's the trust anchor.

This creates an unbroken chain: root → .com → example.com. If any link in that chain is invalid or missing, DNSSEC validation fails and the resolver rejects the response.

The AD flag

When a DNSSEC-validating resolver successfully verifies a response, it sets the AD (Authenticated Data) flag in the DNS reply. This is the signal to the client that the answer passed all cryptographic checks. Our DNSSEC checker queries multiple resolvers (Google, Cloudflare, Quad9) and checks this flag to confirm your DNSSEC setup is working end-to-end.

What happens when DNSSEC goes wrong

Here's the part that scares people away from DNSSEC, and honestly, it's a legitimate concern.

When DNSSEC is configured correctly, it's invisible. Users don't notice it. Resolvers validate silently. Everything works. But when DNSSEC breaks, the failure mode is harsh: your domain becomes unreachable.

Not "slow." Not "sometimes works." Completely unreachable for any resolver that validates DNSSEC — which includes Google Public DNS (8.8.8.8), Cloudflare (1.1.1.1), and Quad9 (9.9.9.9). That's a significant chunk of internet users.

Common ways DNSSEC breaks:

  • Expired signatures. RRSIG records have an expiry date. If your zone doesn't get re-signed before they expire, validation starts failing. This often happens with manual DNSSEC setups where key rotation is forgotten.
  • Mismatched DS records. If you change your DNS provider or rotate your KSK and forget to update the DS record at your registrar, the chain of trust snaps. The parent zone points to a key that no longer exists.
  • Provider migration gone wrong. Moving between DNS providers is already tricky. When DNSSEC is involved, the migration window has an extra step: coordinating the DS record update. Get the timing wrong and you're offline.
  • Accidental removal. Someone turns off DNSSEC at the DNS provider but doesn't remove the DS record at the registrar. The parent still expects DNSSEC, the child no longer serves it, and validation fails.

Every one of these scenarios is preventable with monitoring. That's not a sales pitch — it's just the reality of how DNSSEC operations work. You need something watching the signatures and chain of trust continuously, because the failure modes are silent until they're catastrophic.

Should you enable DNSSEC?

The honest answer depends on your situation.

If your DNS provider handles DNSSEC automatically (Cloudflare, for example, enables and manages DNSSEC with a single click), there's almost no reason not to. The provider handles key generation, signing, rotation, and DS record updates. Your involvement is literally clicking a button and adding one DS record at your registrar.

If you run your own nameservers, DNSSEC adds operational complexity. You need to manage key rotation, re-sign zones regularly, and coordinate DS record updates during key rollovers. It's doable, but you need to be disciplined about it — or automate it properly.

If you're in a regulated industry (finance, healthcare, government), DNSSEC may already be required by compliance frameworks. NIST, for instance, has recommended DNSSEC for federal agencies since 2009.

For most domain owners using a modern DNS provider, the calculus is simple: the protection DNSSEC offers is significant, the effort to enable it is minimal, and the only real risk is breakage from misconfiguration — which monitoring eliminates.

How to enable DNSSEC: a practical walkthrough

The exact steps depend on your DNS provider and registrar, but the general process looks like this:

Step 1: Enable DNSSEC at your DNS provider

In your DNS provider's dashboard, look for a DNSSEC setting. On Cloudflare, it's under DNS → Settings → DNSSEC. On AWS Route 53, you enable it per hosted zone. On Google Cloud DNS, it's a toggle in the zone settings.

When you enable it, the provider generates the ZSK and KSK, signs your zone, and gives you the DS record values you need for the next step.

Step 2: Add the DS record at your registrar

Log into your domain registrar (GoDaddy, Namecheap, Gandi, OVH, etc.) and find the DNSSEC management section. Enter the DS record details your DNS provider gave you: key tag, algorithm, digest type, and digest value.

This is the step people most commonly forget or get wrong. The DS record at the registrar must exactly match the KSK at the DNS provider. Any mismatch breaks the chain of trust.

Step 3: Verify it works

After DNS propagation (usually a few minutes to a few hours), verify your DNSSEC setup. Use our free DNSSEC checker to confirm that DNSKEY records are present and the AD flag is set on responses from major resolvers. If the checker shows DNSSEC as valid, you're done.

Step 4: Set up monitoring

This is the step most guides leave out, and it's arguably the most important one. DNSSEC isn't "set and forget." Signatures expire, keys rotate, providers make changes. Continuous DNSSEC monitoring catches problems before they cascade into a full outage.

DNSSEC and the rest of your DNS security stack

DNSSEC doesn't exist in isolation. It's one piece of a broader DNS security posture that includes:

  • CAA records — restrict which certificate authorities can issue SSL certificates for your domain. Prevents an attacker who controls your DNS from getting a valid cert.
  • SPF — specifies which servers can send email from your domain. Blocks email spoofing.
  • DMARC — tells receiving servers what to do when SPF or DKIM checks fail. The enforcement layer for email authentication.
  • DNSSEC — ensures the DNS answers for all of the above are genuine. It's the foundation everything else sits on.

Think of it this way: SPF and DMARC protect your email, CAA protects your SSL certificates, and DNSSEC protects the DNS records that make all of them work. Without DNSSEC, an attacker who can poison your DNS cache can also bypass your SPF, DMARC, and CAA protections by serving forged records.

A comprehensive DNS health check evaluates all of these together. Our scoring system gives DNSSEC and CAA a combined weight of 35 out of 100 points — reflecting how critical this security layer is to your overall DNS health score.

The adoption problem

Given everything above, you might wonder why DNSSEC adoption is still relatively low. A few reasons:

Historical complexity. Early DNSSEC implementations were painful. Manual key management, complex zone signing, and poor tooling scared a generation of sysadmins. This reputation has stuck, even though modern providers have made it dramatically easier.

The failure mode. As discussed, broken DNSSEC makes your domain unreachable. For some operators, the risk of self-inflicted downtime from misconfiguration outweighs the risk of a DNS spoofing attack. This is a rational calculation, even if the answer is "enable DNSSEC and monitor it properly."

Lack of visible benefit. DNSSEC is invisible when it works. Unlike HTTPS, which gives you a reassuring padlock, DNSSEC validation happens behind the scenes. There's no user-facing indicator, so it's hard to justify the effort to non-technical stakeholders.

Still, the trend is moving in the right direction. Major TLDs have been signed for years. Most large DNS providers offer one-click DNSSEC. And the attacks that DNSSEC prevents are becoming more sophisticated, not less.

Bottom line

DNSSEC is the cryptographic backbone that DNS never had. It's not perfect — it doesn't encrypt queries, it adds complexity, and it can break in ways that are worse than not having it at all if you're not paying attention. But the attacks it prevents are real, the tools to manage it have matured enormously, and for most domains using a managed DNS provider, the effort to enable it is trivial.

The key takeaway: enable DNSSEC, but don't walk away from it. Monitor it. Check that signatures are valid, keys are current, and the chain of trust is intact. Our free DNSSEC checker is a good place to start. For ongoing protection, set up automated DNSSEC monitoring so you know the moment something goes sideways.

Because finding out your DNSSEC is broken from a customer complaint is not the way you want to start your Tuesday morning.

Related article

What is DNS Monitoring and Why Does It Matter?

A beginner-friendly introduction to DNS monitoring, covering what it checks, why it matters, and how to get started.