DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records using RRSIG, publishes signing keys as DNSKEY records, and anchors trust to the parent zone via DS records. A validating resolver can then prove a response came from the authoritative nameserver unmodified. DNSSEC does not encrypt DNS traffic — it provides authenticity and integrity, not confidentiality.
Why it matters
Plain DNS responses are easy to spoof on hostile networks and have been abused for cache poisoning, hijacked banking sessions, and silent redirection. Without DNSSEC, a malicious resolver can return any IP for your domain and the user has no way to know. Validating resolvers reject forged answers, which protects login flows, HTTPS certificate validation, and mail routing built on TXT records.
How to check
- Enable DNSSEC at your DNS provider and publish the resulting
DSrecord at your registrar so trust reaches the root zone. - Verify with
dig +dnssec example.comand look for theadflag in the response header. - Use a validating resolver during testing — many ISP resolvers strip DNSSEC data from clients.
- Plan key rotation: schedule
KSKandZSKrollovers and confirm the registrar accepts updatedDSrecords. - Keep DNSSEC aligned with SSL/TLS so transport and naming layers both authenticate.
- Monitor for
SERVFAILafter key changes; it usually means a broken chain rather than a downstream outage.