DNSSEC: Domain Name System Security Extensions

What it does

DNS was designed to be fast and lightweight, not secure. Anyone on the path between a resolver and an authoritative server can forge responses (DNS hijacking, cache poisoning). DNSSEC closes that gap by signing each response with a private key whose public counterpart you publish in DNS.

Validating resolvers verify the signature chain: your zone's records are signed by your zone-signing key, your zone-signing key is signed by your key-signing key, and your key-signing key is delegated trust by a DS record at your parent zone (e.g. .com or .io).

Without DNSSEC, MTA-STS, DANE, and even DKIM key publication can all be subverted by anyone in the DNS path. With DNSSEC, the receiver can prove the records they got are authentic.

How it works

1. Generate a Key Signing Key (KSK) and Zone Signing Key (ZSK) for your zone.
2. Sign every record set in your zone with the ZSK; sign the DNSKEY record with the KSK.
3. Compute a DS record (Delegation Signer) — a hash of your KSK — and submit it to your registrar.
4. The registrar publishes the DS record at the parent zone, completing the chain of trust from root → TLD → your zone.
5. Validating resolvers walk the chain on every query and set the AD (Authenticated Data) bit on responses they verified successfully.

Example record

DNSKEY records on your zone (DS record at parent)

Common pitfalls

• Forgetting to upload the DS record to the registrar. Your zone is signed but the chain breaks at the parent; resolvers see signed data they can't validate (the dreaded 'partial deployment').
• Not rotating keys (especially the ZSK). Annual rotation is the floor; some registrars enforce it.
• Using DNSSEC algorithm 5 (RSA/SHA-1). Deprecated; use algorithm 13 (ECDSA P-256) or 8 (RSA/SHA-256).
• Letting DNSSEC expire without renewing. Signatures have validity windows; an expired RRSIG makes your zone unresolvable for any validating resolver.

Related tools