DNSSEC — DNS Security Extensions
Cryptographic signing of DNS responses to prevent tampering and cache poisoning.
What is DNSSEC
DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS responses so that a resolver can verify that what it received has not been tampered with in transit.
Without DNSSEC, attacks such as DNS spoofing or cache poisoning can
"convince" a resolver that example.com points to a malicious IP. With DNSSEC,
if a response cannot be verified, the resolver rejects it.
How it works
DNSSEC is built as a chain of trust from the DNS root down to your domain:
- The root server has signed the TLD zone (e.g.
.gr). - The TLD registry has signed the delegation to your nameserver (via a DS record).
- Your nameserver has DNSKEY records and signs every zone record with RRSIG.
A resolver can follow this chain and verify each step.
The key record types
- DNSKEY — the public keys for your zone
- RRSIG — the signature for each record set
- DS (Delegation Signer) — a hash of the DNSKEY stored at the parent (TLD registry)
- NSEC / NSEC3 — proof of non-existence (when a record does not exist, you can prove it without exposing the entire zone)
How to enable it
- At your DNS provider, enable DNSSEC for the zone — this creates the DNSKEY/RRSIG/NSEC records.
- Obtain the DS record that your provider supplies.
- Go to your registrar and add the DS record to the delegation.
- Wait a few hours for propagation. Verify with a DNSSEC validator.
Common mistakes
- DS record at the registrar without a DNSKEY in the zone: your domain becomes unreachable.
- Changing nameservers without first removing the DS record: same problem.
- Algorithm rollover without care: can temporarily break validation.
Warning: DNSSEC is powerful but "strict." A misconfiguration will make your
domain completely inaccessible to users of validating resolvers (Cloudflare 1.1.1.1, Google 8.8.8.8,
Quad9 9.9.9.9). Test it on a test domain before applying to production.