Skip to main content
Reference Email transport RFC 4033

DNSSEC: Domain Name System Security Extensions

DNSSEC adds cryptographic signatures to DNS responses so resolvers can verify the data wasn't tampered with in transit. Foundation for DANE, MTA-STS, and trust in DNS-published security policies.

TL;DR

  • 1 Sign your zone, publish DNSKEY records, hand a DS record to your registrar.
  • 2 Validating resolvers (1.1.1.1, 8.8.8.8, 9.9.9.9) check the chain and set the AD bit when valid.
  • 3 Required for DANE and strongly recommended for any DNS-based security policy.

Watch

How DNSSEC signs your DNS records and the chain of trust (DS record at your registrar) that proves them.

What it does

DNS was designed to be fast and lightweight, not secure. Anyone on the path between a resolver and an authoritative server can forge responses (DNS hijacking, cache poisoning). DNSSEC closes that gap by signing each response with a private key whose public counterpart you publish in DNS.

Validating resolvers verify the signature chain: your zone's records are signed by your zone-signing key, your zone-signing key is signed by your key-signing key, and your key-signing key is delegated trust by a DS record at your parent zone (e.g. .com or .io).

Without DNSSEC, MTA-STS, DANE, and even DKIM key publication can all be subverted by anyone in the DNS path. With DNSSEC, the receiver can prove the records they got are authentic.

How it works

  1. 1

    Generate a Key Signing Key (KSK) and Zone Signing Key (ZSK) for your zone.

  2. 2

    Sign every record set in your zone with the ZSK; sign the DNSKEY record with the KSK.

  3. 3

    Compute a DS record (Delegation Signer), a hash of your KSK, and submit it to your registrar.

  4. 4

    The registrar publishes the DS record at the parent zone, completing the chain of trust from root → TLD → your zone.

  5. 5

    Validating resolvers walk the chain on every query and set the AD (Authenticated Data) bit on responses they verified successfully.

Example record

DNSKEY records on your zone (DS record at parent) Click to select
your-domain.com. IN DNSKEY 257 3 13 ABCD... (KSK) your-domain.com. IN DNSKEY 256 3 13 WXYZ... (ZSK)

Common pitfalls

  • Forgetting to upload the DS record to the registrar. Your zone is signed but the chain breaks at the parent; resolvers see signed data they can't validate (the dreaded 'partial deployment').

  • Not rotating keys (especially the ZSK). Annual rotation is the floor; some registrars enforce it.

  • Using DNSSEC algorithm 5 (RSA/SHA-1). Deprecated; use algorithm 13 (ECDSA P-256) or 8 (RSA/SHA-256).

  • Letting DNSSEC expire without renewing. Signatures have validity windows; an expired RRSIG makes your zone unresolvable for any validating resolver.