DNSSEC chain of trust diagram showing root zone, TLD and domain signing with DNSKEY and DS records connecting each layer
# developer tools# website monitoring

DNSSEC Explained for Website Owners

DNS was designed in the 1980s without security in mind. Responses aren't authenticated — nothing stops an attacker from intercepting a DNS query and returning a forged answer pointing your domain to a server they control. This attack is known as DNS spoofing or DNS cache poisoning.

DNSSEC (DNS Security Extensions) addresses this by adding cryptographic signatures to DNS responses. A resolver that validates DNSSEC signatures can verify that a DNS answer came from the authoritative nameserver and hasn't been tampered with.

How DNSSEC Works (Without the Full Cryptographic Detail)

DNSSEC creates a chain of trust from the DNS root zone down to your domain:

  1. Root zone — ICANN maintains a root DNSKEY that signs the root zone
  2. TLD zone — The root zone signs a DS (Delegation Signer) record for .com, .net, etc.
  3. Your domain zone — The TLD zone signs a DS record that delegates trust to your domain's DNSKEY
  4. Your DNS records — Your nameserver signs all DNS records with your zone signing key (ZSK)

When a DNSSEC-validating resolver looks up your domain, it checks each signature in this chain. If any signature is missing or invalid, the resolver returns SERVFAIL rather than an unauthenticated answer.

# Check if DNSSEC is enabled for a domain
dig yourdomain.com +dnssec

# Look for the 'ad' flag (Authenticated Data) in the response
# "flags: qr rd ra ad" = DNSSEC validation succeeded

# Check for DNSKEY records
dig yourdomain.com DNSKEY +short

# Check for DS record at the parent (TLD) nameserver
dig yourdomain.com DS +short

What DNSSEC Protects Against

DNS cache poisoning — An attacker injects forged DNS records into a resolver's cache. Without DNSSEC, there's no way for the resolver to know the answer was forged. With DNSSEC, the missing signature causes the resolver to reject the forged answer.

Man-in-the-middle DNS attacks — An attacker intercepts DNS queries and returns a different IP. DNSSEC signatures are tied to the zone, not the network path — a signature from a different zone is invalid.

What DNSSEC does NOT protect against:

  • The actual content of your website (that's HTTPS/TLS)
  • DDoS attacks against your nameservers
  • Attacks against DNSSEC-unaware resolvers (not all resolvers validate DNSSEC)

DNSSEC and HTTPS are complementary: DNSSEC ensures you reach the right server; HTTPS ensures the connection is encrypted and the server is authenticated.

The Operational Risks of DNSSEC

DNSSEC introduces real operational complexity. The security community generally recommends it, but with clear awareness of the failure modes.

Key rollover — DNSSEC signing keys need periodic rotation. If a key rollover is performed incorrectly, your domain becomes unresolvable for DNSSEC-validating resolvers (roughly 30–35% of global DNS traffic uses DNSSEC validation, according to APNIC measurements).

Nameserver migration — If you change nameservers (see how to change nameservers without downtime), you must update the DS record at your registrar to match the new nameserver's keys. If you forget this step, DNSSEC validation fails for your domain.

Registrar support — Not all registrars support DNSSEC. You need a registrar that can publish DS records to the TLD zone. ICANN maintains a list of registrars supporting DNSSEC.

Enabling DNSSEC: The Practical Steps

Most managed DNS providers handle key generation and signing automatically. The only step you usually need to take manually is adding the DS record to your registrar.

With Cloudflare:

  1. Enable DNSSEC in your Cloudflare DNS settings (one click)
  2. Cloudflare generates the DS record and shows it to you
  3. Copy the DS record into your registrar's DNSSEC settings
  4. Cloudflare handles key rotation automatically

With Route 53:

  1. Enable DNSSEC signing in Route 53
  2. Route 53 generates key-signing keys (KSK) and zone-signing keys (ZSK)
  3. Copy the DS record shown by Route 53 into your registrar

Verify after enabling:

# Check DS record propagated to the TLD
dig yourdomain.com DS +short

# Validate the DNSSEC chain
dig yourdomain.com +dnssec +cd=no
# The 'ad' flag in the response confirms validation succeeded

Should You Enable DNSSEC?

Enable DNSSEC if:

  • Your DNS provider manages key rotation automatically (Cloudflare, Route 53, modern managed providers)
  • Your registrar supports DS record management
  • You have the operational maturity to handle nameserver migrations carefully

Consider waiting if:

  • Your DNS provider requires manual key management
  • You frequently change nameservers or DNS providers
  • You're not confident you'll remember to update DS records during migrations

Monitoring DNSSEC Health

A broken DNSSEC configuration silently breaks your domain for a significant portion of the internet — those users just get SERVFAIL and see nothing. Domain Monitor monitors your domain's DNS health including DNSSEC validity. Create a free account.

Also in This Series

More posts

Wildcard vs SAN vs Single-Domain SSL Certificates: Which Do You Need?

Wildcard, SAN (multi-domain), and single-domain SSL certificates cover different use cases. Here's a clear comparison to help you pick the right type — and avoid paying for coverage you don't need.

Read more
Why DNS Works in One Location but Fails in Another

DNS resolves correctly from your office but fails for users in other countries or on different ISPs. Here's why geographic DNS inconsistency happens and how to diagnose which layer is causing it.

Read more
Registrar Lock vs Transfer Lock: What's the Difference?

Registrar lock and transfer lock are often confused — and disabling the wrong one leaves your domain vulnerable. Here's a clear breakdown of what each does and when to use them.

Read more

Subscribe to our PRO plan.

Looking to monitor your website and domains? Join our platform and start today.

View pricing & plans