DNSSEC
DNS Security Extensions - Cryptographic authentication for DNS
What is DNSSEC?
DNSSEC adds cryptographic signatures to DNS records, allowing resolvers to verify that DNS responses are authentic and haven't been tampered with during transit.
Why is it important?
DNSSEC protects against DNS cache poisoning, man-in-the-middle attacks, and DNS hijacking, ensuring users reach the correct destination when accessing your domain.
Impact
Without DNSSEC, attackers can redirect your domain's traffic to malicious servers, steal credentials, distribute malware, or damage your brand reputation.
Current Configuration
- Domainexample.com
- DNSSEC StatusNot Enabled
- DS RecordsNone Found
- DNSKEY RecordsNone Found
- Last CheckedDecember 3, 2025 - 11:00 AM
- Validation ChainBroken
DNSSEC Record Types
- DNSKEYPublic key used to verify signatures
- RRSIGDigital signature for DNS records
- DSDelegation Signer - links child to parent zone
- NSEC/NSEC3Proof of non-existence for records
How DNSSEC Works
Zone Signing
Your DNS zone is signed with a private key (ZSK - Zone Signing Key), creating RRSIG records that accompany each DNS record.
Key Publication
The public key (DNSKEY) is published in your zone, allowing resolvers to verify the signatures. A Key Signing Key (KSK) signs the DNSKEY record.
Chain of Trust
A DS record is created from your KSK and published at your registrar, creating a secure chain from the root DNS to your domain.
Validation
When someone queries your domain, resolvers verify the entire chain of signatures from the root down, ensuring authenticity.
How to Enable DNSSEC
- Verify that your DNS hosting provider supports DNSSEC. Not all providers offer this feature.
- Log in to your DNS hosting provider's control panel.
- Generate DNSSEC keys (usually done automatically):
- Zone Signing Key (ZSK) - signs individual DNS records
- Key Signing Key (KSK) - signs the DNSKEY records
- Enable DNSSEC for your zone. Your provider will automatically sign all DNS records.
- Retrieve the DS (Delegation Signer) records from your DNS provider. These typically include:Key Tag: 12345
Algorithm: 13 (ECDSAP256SHA256)
Digest Type: 2 (SHA-256)
Digest: ABC123... - Log in to your domain registrar's control panel (where you registered the domain).
- Navigate to the DNSSEC settings and add the DS records provided by your DNS host.
- Save the changes. DNSSEC propagation can take 24-48 hours.
- Verify DNSSEC is working using online validation tools like dnsviz.net or dnssec-debugger.verisignlabs.com
Recommended DNSSEC Algorithms
- Algorithm 13ECDSAP256SHA256 (Recommended - Modern)
- Algorithm 14ECDSAP384SHA384 (High Security)
- Algorithm 8RSASHA256 (Legacy - Still Common)
- Algorithm 10RSASHA512 (Legacy - Higher Security)
ECDSA algorithms (13, 14) are preferred for their smaller key sizes and better performance.
DNSSEC Best Practices
- Key RotationRotate ZSK every 1-3 months, KSK annually
- Monitor ExpirationSet alerts for signature expiration dates
- Test RegularlyValidate DNSSEC chain monthly
- Backup KeysSecurely store private keys offline
- Algorithm ChoiceUse modern ECDSA algorithms (13 or 14)
Common DNSSEC Issues
- Broken ChainDS records not added to registrar
- Expired SignaturesRRSIG records not refreshed automatically
- Incorrect DS RecordsMismatch between DNS host and registrar
- Key Rollover FailedTiming issues during key rotation