# developer tools# website monitoring
DNSSEC Explained for Website Owners
DNS was designed in the 1980s without security in mind. Responses aren't authenticated — nothing stops an attacker from intercepting a DNS query and returning a forged answer pointing your domain to a server they control. This attack is known as DNS spoofing or DNS cache poisoning.
DNSSEC (DNS Security Extensions) addresses this by adding cryptographic signatures to DNS responses. A resolver that validates DNSSEC signatures can verify that a DNS answer came from the authoritative nameserver and hasn't been tampered with.
How DNSSEC Works (Without the Full Cryptographic Detail)
DNSSEC creates a chain of trust from the DNS root zone down to your domain:
- Root zone — ICANN maintains a root DNSKEY that signs the root zone
- TLD zone — The root zone signs a DS (Delegation Signer) record for
.com,.net, etc. - Your domain zone — The TLD zone signs a DS record that delegates trust to your domain's DNSKEY
- Your DNS records — Your nameserver signs all DNS records with your zone signing key (ZSK)
When a DNSSEC-validating resolver looks up your domain, it checks each signature in this chain. If any signature is missing or invalid, the resolver returns SERVFAIL rather than an unauthenticated answer.
# Check if DNSSEC is enabled for a domain
dig yourdomain.com +dnssec
# Look for the 'ad' flag (Authenticated Data) in the response
# "flags: qr rd ra ad" = DNSSEC validation succeeded
# Check for DNSKEY records
dig yourdomain.com DNSKEY +short
# Check for DS record at the parent (TLD) nameserver
dig yourdomain.com DS +short
What DNSSEC Protects Against
DNS cache poisoning — An attacker injects forged DNS records into a resolver's cache. Without DNSSEC, there's no way for the resolver to know the answer was forged. With DNSSEC, the missing signature causes the resolver to reject the forged answer.
Man-in-the-middle DNS attacks — An attacker intercepts DNS queries and returns a different IP. DNSSEC signatures are tied to the zone, not the network path — a signature from a different zone is invalid.
What DNSSEC does NOT protect against:
- The actual content of your website (that's HTTPS/TLS)
- DDoS attacks against your nameservers
- Attacks against DNSSEC-unaware resolvers (not all resolvers validate DNSSEC)
DNSSEC and HTTPS are complementary: DNSSEC ensures you reach the right server; HTTPS ensures the connection is encrypted and the server is authenticated.
The Operational Risks of DNSSEC
DNSSEC introduces real operational complexity. The security community generally recommends it, but with clear awareness of the failure modes.
Key rollover — DNSSEC signing keys need periodic rotation. If a key rollover is performed incorrectly, your domain becomes unresolvable for DNSSEC-validating resolvers (roughly 30–35% of global DNS traffic uses DNSSEC validation, according to APNIC measurements).
Nameserver migration — If you change nameservers (see how to change nameservers without downtime), you must update the DS record at your registrar to match the new nameserver's keys. If you forget this step, DNSSEC validation fails for your domain.
Registrar support — Not all registrars support DNSSEC. You need a registrar that can publish DS records to the TLD zone. ICANN maintains a list of registrars supporting DNSSEC.
Enabling DNSSEC: The Practical Steps
Most managed DNS providers handle key generation and signing automatically. The only step you usually need to take manually is adding the DS record to your registrar.
With Cloudflare:
- Enable DNSSEC in your Cloudflare DNS settings (one click)
- Cloudflare generates the DS record and shows it to you
- Copy the DS record into your registrar's DNSSEC settings
- Cloudflare handles key rotation automatically
With Route 53:
- Enable DNSSEC signing in Route 53
- Route 53 generates key-signing keys (KSK) and zone-signing keys (ZSK)
- Copy the DS record shown by Route 53 into your registrar
Verify after enabling:
# Check DS record propagated to the TLD
dig yourdomain.com DS +short
# Validate the DNSSEC chain
dig yourdomain.com +dnssec +cd=no
# The 'ad' flag in the response confirms validation succeeded
Should You Enable DNSSEC?
Enable DNSSEC if:
- Your DNS provider manages key rotation automatically (Cloudflare, Route 53, modern managed providers)
- Your registrar supports DS record management
- You have the operational maturity to handle nameserver migrations carefully
Consider waiting if:
- Your DNS provider requires manual key management
- You frequently change nameservers or DNS providers
- You're not confident you'll remember to update DS records during migrations
Monitoring DNSSEC Health
A broken DNSSEC configuration silently breaks your domain for a significant portion of the internet — those users just get SERVFAIL and see nothing. Domain Monitor monitors your domain's DNS health including DNSSEC validity. Create a free account.
Also in This Series
- Nameservers vs DNS Records: What's the Difference?
- How to Change Nameservers Without Downtime
- CAA Records Explained and Why They Matter for SSL
- How to Monitor Nameserver Changes Across Client Domains
- Registrar Lock vs Transfer Lock: What's the Difference?
- How to Prevent Domain Hijacking With Registrar Security
- Why DNS Works in One Location but Fails in Another
More posts
What Is a Subdomain Takeover and How to Prevent It
A subdomain takeover lets an attacker claim your subdomain by exploiting dangling DNS records. Learn how it happens, real-world examples, and how DNS monitoring detects it.
Read moreWhat Is Mean Time to Detect (MTTD)?
Mean time to detect (MTTD) measures how long it takes to discover an incident after it starts. Reducing MTTD is one of the highest-leverage improvements in reliability engineering.
Read moreWhat Is Black Box Monitoring?
Black box monitoring tests your systems from the outside, the way users experience them — without access to internal code or infrastructure. Learn how it works and when to use it.
Read moreSubscribe to our PRO plan.
Looking to monitor your website and domains? Join our platform and start today.