What is DNSSEC and what does it protect against?

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify responses have not been tampered with. It protects against DNS spoofing, cache poisoning, and man-in-the-middle attacks that could redirect visitors to malicious sites.

How do I enable DNSSEC?

Enable DNSSEC in your DNS provider dashboard (Cloudflare, Route 53, etc.), copy the DS record details provided, then add the DS record at your domain registrar. Wait for propagation and verify with tools like IntoDNS.AI or DNSViz.net.

Knowledge Base

DNSSEC Setup Guide

Enable DNS Security Extensions to protect your domain from DNS spoofing and cache poisoning attacks.

Advanced15 min read

Quick Overview

Enable DNSSEC

Get DS Record

Add to Registrar

Verify Chain

What is DNSSEC?

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records. This allows resolvers to verify that DNS responses haven't been tampered with.

Without DNSSEC, attackers can: • Redirect your visitors to malicious sites (DNS spoofing) • Intercept email by changing MX records • Steal credentials via fake login pages

How DNSSEC Works

DNSSEC creates a chain of trust from the root DNS servers to your domain:

1. Root Zone signs the TLD (e.g., .com) 2. TLD (.com) signs your domain's DS record 3. Your Domain signs all your DNS records

Each level cryptographically verifies the next, preventing tampering.

DNSSEC Record Types

DNSSEC introduces new record types:

• DNSKEY - Public key for your domain • RRSIG - Signature for each record set • DS - Hash of your DNSKEY (stored at parent zone) • NSEC/NSEC3 - Proves a record doesn't exist

Enabling DNSSEC

DNSSEC setup varies by registrar/DNS provider. Generally:

If your DNS provider manages DNSSEC automatically (recommended): 1. Enable DNSSEC in your DNS provider's dashboard 2. Copy the DS record details 3. Add the DS record at your registrar 4. Wait for propagation

Providers like Cloudflare, Google Cloud DNS, and Route 53 handle key management automatically.

Cloudflare DNSSEC Setup

1. Log into Cloudflare Dashboard 2. Select your domain 3. Go to DNS → Settings 4. Click "Enable DNSSEC" 5. Cloudflare provides DS record details 6. Add these DS records at your registrar

# Example DS record values:
# Key Tag: 2371
# Algorithm: 13
# Digest Type: 2
# Digest: E06D44B80B8F1D39A95C...

Verification

After enabling DNSSEC, verify it works:

1. Use IntoDNS.ai to check DNSSEC status 2. Use dig: dig +dnssec yourdomain.com 3. Check DNSViz.net for visual chain of trust 4. Verify DS records match at parent zone

DNSSEC misconfigurations can make your entire domain unreachable. Test thoroughly before enabling.

Common Pitfalls to Avoid

DS record mismatch
The DS record at your registrar must exactly match the DNSKEY in your zone.
Key rollover failures
Improper key rotation can break DNSSEC. Follow the pre-publish or double-sign method.
Expired signatures
RRSIG records have expiry times. Automated signing must keep them fresh.
Not testing before enabling
Use DNSViz or dig +dnssec to verify the chain before publishing DS records.

Next Guide

MTA-STS Configuration

Check Your Configuration

Use IntoDNS.ai to verify your setup is correct