What Is DNSSEC?
DNSSEC (Domain Name System Security Extensions) is a set of protocols that adds cryptographic authentication to DNS responses. It doesn't encrypt DNS queries — it verifies that the answers you receive are authentic and haven't been tampered with.
Think of DNS as a phone book for the internet. When you type example.com, your computer asks a DNS server: "What's the IP address for this domain?" The DNS server responds with something like 93.184.216.34.
The problem: standard DNS has no way to verify that this answer is correct. An attacker who can intercept or forge DNS responses can send you to a different IP address entirely — one they control.
DNSSEC solves this by adding digital signatures to DNS records. Your computer can verify these signatures to confirm that the DNS response really came from the domain owner and hasn't been modified in transit.
How DNS Spoofing Works
DNS spoofing (also called DNS cache poisoning) is an attack where a malicious actor injects fake DNS records into a resolver's cache. Here's how it works:
The Kaminsky Attack (Simplified)
- 1Attacker targets a DNS resolver — This is the DNS server that your ISP or company operates, the one your computer asks for DNS lookups.
- 1Attacker sends a flood of forged responses — Before the legitimate DNS server can respond, the attacker sends thousands of fake responses with guessed transaction IDs.
- 1If a forged response arrives first — The resolver caches the fake IP address. Now everyone using that resolver who visits
example.comgets sent to the attacker's server.
- 1The fake record persists — The poisoned cache entry remains valid for the TTL (Time To Live) period, which can be hours or even days.
What Happens After a Successful Attack
Once DNS is poisoned, the attacker controls where your users go:
- Phishing — Users see
example.comin their browser bar but are on the attacker's server. The SSL certificate won't match (unless the attacker has obtained one), but many users ignore certificate warnings. - Email hijacking — MX record poisoning redirects all email for the domain to the attacker's mail server.
- Credential theft — A cloned login page captures usernames and passwords.
- Malware distribution — Software updates or downloads are replaced with malicious versions.
The Scale of the Problem
DNS spoofing isn't theoretical. Major ISPs have been targeted, and the Kaminsky vulnerability (discovered in 2008) affected virtually every DNS implementation in the world. While mitigations were deployed rapidly, DNS remains fundamentally unauthenticated without DNSSEC.
How DNSSEC Prevents It
DNSSEC creates a chain of trust from the DNS root zone all the way down to your domain. Every DNS record is accompanied by a cryptographic signature that proves:
- 1Authenticity — The record was created by the domain owner (or their DNS provider)
- 2Integrity — The record hasn't been modified in transit
- 3Non-existence — If a record doesn't exist, that non-existence is also authenticated (preventing certain types of attacks)
The Chain of Trust
Root Zone (.) — Signs .com zone's keys
↓
.com Zone — Signs example.com zone's keys
↓
example.com Zone — Signs individual DNS records
↓
A Record: 93.184.216.34 — Verified authenticEach level signs the keys for the level below it. The root zone's keys are the trust anchor — they're hardcoded into DNS resolvers worldwide.
Validation Process
When a DNSSEC-aware resolver looks up example.com:
- 1It receives the A record (the IP address) along with its RRSIG (signature)
- 2It fetches the DNSKEY for
example.comto verify the RRSIG - 3It fetches the DS record from the
.comzone to verify the DNSKEY - 4It verifies the
.comzone's keys against the root zone's trust anchor - 5If all signatures check out, the answer is authenticated
- 6If any signature fails, the resolver returns SERVFAIL (no answer) rather than an unverified one
DNSSEC Components (DS, DNSKEY, RRSIG Records)
DNSSEC introduces several new DNS record types:
### DNSKEY Record Contains the public key used to sign DNS records for a zone. There are typically two types:
- KSK (Key Signing Key) — Signs the DNSKEY record set itself. This is the key referenced by the parent zone's DS record. Flags: 257.
- ZSK (Zone Signing Key) — Signs all other records in the zone. Rotated more frequently. Flags: 256.
example.com. 3600 IN DNSKEY 257 3 13 (
mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+
KkxLbxILfDLUT0rAK9iUzy1L53eKGQ==
)### RRSIG Record The signature for a specific record set. Each DNS record type has its own RRSIG:
example.com. 3600 IN RRSIG A 13 2 3600 (
20250401000000 20250301000000 12345 example.com.
oJB1W6WNGv+ldvQ3WDG0MQkg5IEhjRip8WTr
PYGv07h108dUKGMeDPKijVCHX3DDKdfb+v6o
B9wfuh3DTJXUAfI/M0zmO/zz8bW0Rznl8O3t
GNazPwQKkRN20XPXV6nwwfoXmJQbsLNNLfkE
i9M7NAT/aVf3tyP8ywP8eCCNk=
)### DS Record A hash of the child zone's DNSKEY, stored in the parent zone. This is the link in the chain of trust:
example.com. 3600 IN DS 12345 13 2 (
49FD46E6C4B45C55D4AC69CBD3CD34AC1AFE51DE
)The DS record lives in the .com zone and says: "The DNSKEY for example.com should hash to this value."
### NSEC / NSEC3 Records These prove that a record does NOT exist (authenticated denial of existence). Without these, an attacker could strip DNSSEC signatures and return unsigned, fake "does not exist" responses.
Should You Enable DNSSEC?
Reasons to Enable DNSSEC
- Prevents DNS spoofing — The primary benefit. Attackers can't forge DNS responses.
- Protects email — Combined with DANE, DNSSEC can authenticate your mail server's TLS certificate.
- Compliance — Some regulations and frameworks recommend or require DNSSEC.
- Builds trust — Shows security-conscious posture to technical evaluators.
- No performance impact on visitors — Validation happens at the resolver level; end users don't notice any difference.
Potential Drawbacks
- DNS management complexity — Key rotation and signature management add operational overhead (though most DNS providers automate this).
- Larger DNS responses — DNSSEC records increase response sizes, which can occasionally cause issues with UDP packet sizes (requiring TCP fallback).
- Risk of self-inflicted outage — If DNSSEC is misconfigured (expired signatures, wrong DS record at registrar), your domain becomes unreachable for validating resolvers.
- Resolver support varies — Not all DNS resolvers validate DNSSEC. Major ones (Google 8.8.8.8, Cloudflare 1.1.1.1) do, but some ISP resolvers don't.
### Verdict Yes, enable DNSSEC — especially if you use a managed DNS provider that handles key rotation automatically (Cloudflare, AWS Route 53, Google Cloud DNS, dnsimple). The operational risk is minimal with modern tooling.
How to Enable DNSSEC (by Registrar)
Enabling DNSSEC is a two-step process: configure it at your DNS provider, then add the DS record at your domain registrar.
Cloudflare (DNS Provider + Registrar)
If Cloudflare manages both your DNS and domain registration, enabling DNSSEC is one click:
- 1Log in to Cloudflare Dashboard
- 2Select your domain
- 3Go to DNS > Settings
- 4Click Enable DNSSEC
- 5Cloudflare automatically adds the DS record since it's also the registrar
If Cloudflare manages DNS but your registrar is elsewhere: 1. Enable DNSSEC in Cloudflare 2. Cloudflare shows you the DS record details 3. Log in to your registrar and add the DS record manually
AWS Route 53
# Enable DNSSEC signing
aws route53 enable-hosted-zone-dnssec \
--hosted-zone-id Z1234567890
# Get the DS record to add at your registrar
aws route53 get-dnssec \
--hosted-zone-id Z1234567890Google Cloud DNS
# Enable DNSSEC for a managed zone
gcloud dns managed-zones update my-zone \
--dnssec-state on
# Get DS records
gcloud dns managed-zones describe my-zone \
--format="value(dnssecConfig.defaultKeySpecs)"Manual Setup (BIND)
For self-hosted DNS:
# Generate KSK
dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com
# Generate ZSK
dnssec-keygen -a ECDSAP256SHA256 example.com
# Sign the zone
dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) \
-N INCREMENT -o example.com -t example.com.zoneVerify Your DNSSEC Is Working
Command Line
# Check if DNSSEC is enabled
dig +dnssec example.com A
# Look for the 'ad' (Authenticated Data) flag in the response
# flags: qr rd ra ad; means DNSSEC validated
# Check DS record at parent
dig +short example.com DS
# Verify the chain of trust
dig +sigchase +trusted-key=./trusted-key.key example.com AOnline Tools
- DNSViz (dnsviz.net) — Visual representation of your DNSSEC chain
- Verisign DNSSEC Debugger — Step-by-step validation check
- DNSSEC Analyzer (dnssec-analyzer.verisignlabs.com) — Detailed diagnostic
Common Issues
| Problem | Symptom | Fix |
|---|---|---|
| Missing DS record | DNSSEC signed but not validated | Add DS record at registrar |
| Expired RRSIG | SERVFAIL for validating resolvers | Re-sign zone or fix auto-signing |
| DS/DNSKEY mismatch | SERVFAIL | Update DS record at registrar to match current KSK |
| Algorithm mismatch | Partial validation failures | Ensure consistent algorithm across KSK, ZSK, and DS |
DNSSEC and Email Security
DNSSEC strengthens email security in several ways:
### Protecting MX Records Without DNSSEC, an attacker who poisons your MX records can redirect all email for your domain to their server. With DNSSEC, MX records are cryptographically authenticated.
### DANE (DNS-Based Authentication of Named Entities) DANE uses DNSSEC to publish TLS certificate information in DNS (via TLSA records). This allows mail servers to verify each other's certificates without relying solely on certificate authorities.
# TLSA record — pins the certificate for mail.example.com
_25._tcp.mail.example.com. IN TLSA 3 1 1 (
2b8d0f87a5f5... # SHA-256 hash of the certificate
)### SPF, DKIM, DMARC Protection SPF, DKIM, and DMARC all rely on DNS records. DNSSEC ensures these records can't be spoofed:
- SPF — An attacker can't forge your SPF record to authorize their mail server
- DKIM — The public key in your DKIM DNS record is authenticated
- DMARC — Your DMARC policy can't be altered by an attacker
Without DNSSEC, an attacker who poisons your DNS could modify or remove your SPF/DKIM/DMARC records, making email spoofing much easier.
How ZeriFlow Checks Your DNS Security
ZeriFlow includes DNS security as part of its comprehensive website scan. In under 60 seconds, it checks:
- DNSSEC status — Whether your domain has DNSSEC enabled and properly configured
- SPF record — Whether your domain has a valid SPF record that limits authorized mail senders
- DKIM — Whether DKIM signing is configured
- DMARC policy — Whether you have a DMARC record and what policy it enforces
- DNS configuration — CAA records, nameserver security, and other DNS best practices
Each finding comes with a specific recommendation. If DNSSEC isn't enabled, ZeriFlow tells you exactly what to do based on your DNS provider and registrar.
DNS security is one of the most overlooked aspects of web security. Most website owners focus on SSL certificates and security headers but forget that the entire system depends on DNS being trustworthy. DNSSEC is the foundation that makes everything else reliable.
Scan your domain at zeriflow.com to see your complete DNS security status alongside all other security categories.