DNS & Domains 5 min read

What Is DNSSEC and How Does It Work

Guide to DNSSEC — how DNS records are signed, what DS/DNSKEY/RRSIG are and how to verify your domain is correctly configured.

What Is DNSSEC?

DNSSEC (DNS Security Extensions) is a set of DNS extensions that adds digital signatures to DNS records. Without DNSSEC, an attacker can poison a DNS cache and redirect visitors to a fake site — even if you have a valid SSL certificate.

With DNSSEC, every DNS response comes with a cryptographic signature proving the data hasn't been tampered with in transit.

How DNSSEC Works

DNSSEC creates a chain of trust from the root zone (.) down to your domain:

  1. Root Zone (.) — signed by IANA
  2. TLD Zone (.com, .gr) — signed by the TLD registry
  3. Domain Zone (example.com) — signed by you or your DNS provider

Key Record Types

RecordWhat it does
DNSKEYPublic key for the zone — used to verify RRSIG signatures
RRSIGDigital signature for each DNS record set
DSHash of DNSKEY published in the parent zone (e.g. in .com)
NSEC / NSEC3Proves a record does NOT exist (authenticated denial of existence)

KSK vs ZSK

There are two types of DNSKEY:

  • KSK (Key Signing Key): signs the other keys — its hash is published as the DS record in the parent
  • ZSK (Zone Signing Key): signs the actual records (A, MX, CNAME etc.) — rotated more frequently

How to Check If Your Domain Has DNSSEC

Validate your domain's DNSSEC chain instantly:

→ DNSSEC Validator

A correctly configured DNSSEC setup will show:

  • ✅ DS record in parent zone
  • ✅ DNSKEY records in child zone
  • ✅ RRSIG records with valid signatures
  • ✅ Chain of trust up to root

How to Enable DNSSEC

Via Registrar (Most Common)

Most registrars provide one-click DNSSEC activation from the control panel. The registrar handles key generation, signing and DS record submission automatically.

With Cloudflare

If you use Cloudflare DNS, enable DNSSEC with one click from DNS → Settings → DNSSEC. Then add the DS record Cloudflare provides to your registrar.

Manually (BIND / PowerDNS)

# BIND — key generation
dnssec-keygen -a ECDSAP256SHA256 -b 256 -n ZONE example.com
dnssec-keygen -a ECDSAP256SHA256 -b 256 -n ZONE -f KSK example.com

# Zone signing
dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) \
  -N INCREMENT -o example.com -t example.com.zone
⚠️ Warning: If you configure DNSSEC manually, you must rotate ZSK keys regularly (typically every 90 days) and KSK keys annually. Expired keys without rollover will cause your domain to stop resolving.

Why You Need DNSSEC

ThreatWithout DNSSECWith DNSSEC
DNS Cache Poisoning❌ Vulnerable✅ Impossible
BGP Hijacking (DNS)❌ Vulnerable✅ Detectable
Man-in-the-Middle DNS❌ Vulnerable✅ Protected
Typosquatting❌ Not covered❌ Not covered

Frequently Asked Questions

Does DNSSEC replace an SSL certificate?
No — they're complementary. SSL encrypts communication between browser and server. DNSSEC verifies that DNS resolution is authentic. You need both.
Do all TLDs support DNSSEC?
Not all, but the major ones do: .com, .gr, .net, .org, .eu etc. Some country ccTLDs still don't support it. Check the ICANN DNSKEY Signing Status list.
Does DNSSEC slow down DNS resolution?
Marginally — DNSSEC records are larger, so there's a slight increase in DNS payload. In practice the delay is negligible (a few ms) and the security benefit is worth it.
What happens if DNSSEC keys expire?
If RRSIG records expire and aren't renewed, your domain stops resolving for users with DNSSEC-validating resolvers (e.g. 8.8.8.8). This is one of the most common DNSSEC misconfiguration mistakes.

Try it now

DNSSEC Validator DS, DNSKEY, RRSIG chain validation

Related guides

How Long Does DNS Propagation Take? DNS Troubleshooting — Step-by-Step Diagnosis What Is Reverse DNS (PTR Record)?
All guides