DEV Community

Cover image for What Is DNSSEC and Should You Enable It?
Kishore Bhavnanie
Kishore Bhavnanie

Posted on • Originally published at dnsassistant.com

What Is DNSSEC and Should You Enable It?

#cybersecurity #infrastructure #networking #security

When your browser queries DNS for yourbank.com, how does it know the answer is legitimate? How does it know that the IP address returned actually came from the domain's authoritative nameserver, and wasn't injected by an attacker sitting between you and the resolver?

Without DNSSEC, the answer is: it doesn't. Standard DNS has no built-in mechanism to verify that responses are authentic. Resolvers accept whatever answer arrives first, and users trust whatever the resolver returns. This makes DNS vulnerable to cache poisoning, man-in-the-middle attacks, and response forgery.

DNSSEC (Domain Name System Security Extensions) was designed to fix this. It adds cryptographic signatures to DNS records, creating a verifiable chain of trust from the root zone down to your domain. When DNSSEC is properly configured, resolvers can mathematically prove that a DNS response is authentic and hasn't been tampered with.

But DNSSEC is also operationally complex. Misconfigured DNSSEC doesn't just fail silently — it can take your entire domain offline for every user on a validating resolver. The .de TLD outage in May 2026, where a botched key rollover made millions of German domains unreachable, demonstrated exactly how severe DNSSEC failures can be.

This guide explains how DNSSEC works, whether you should enable it, how to set it up with common DNS providers, and how to avoid the operational pitfalls that cause outages.

The Problem DNSSEC Solves

Standard DNS is a trust-on-first-use system. Your computer asks a recursive resolver for the IP address of example.com, the resolver walks the DNS hierarchy to find the answer, and returns whatever it gets. At no point in this process is the answer verified for authenticity.

This creates several attack vectors:

Cache Poisoning

An attacker floods a recursive resolver with forged DNS responses, trying to beat the legitimate response. If the forged response arrives first with the correct transaction ID (a 16-bit number, easily guessable), the resolver caches the fake answer and serves it to every user who queries that domain. The Kaminsky attack, disclosed in 2008, showed that cache poisoning was far easier than previously assumed and could be executed in seconds.

Man-in-the-Middle

An attacker positioned between the user and the resolver (on a public Wi-Fi network, for example) can intercept DNS queries and return fake responses. Without DNSSEC, the user's device has no way to detect the forgery.

Response Forgery at the Authoritative Level

An attacker who compromises the communication path between a recursive resolver and an authoritative nameserver can inject fake responses. BGP hijacking attacks have been used to redirect DNS traffic through attacker-controlled networks, allowing large-scale response forgery.

All of these attacks exploit the same fundamental weakness: standard DNS responses carry no proof of authenticity.

How DNSSEC Works

DNSSEC adds four new record types to DNS that together create a cryptographic chain of trust:

RRSIG (Resource Record Signature)

Every record set in a DNSSEC-signed zone has a corresponding RRSIG record containing a digital signature. When a resolver receives an A record, it also receives the RRSIG for that A record. The signature covers the record's name, type, class, TTL, and data, ensuring that none of these fields have been modified.

DNSKEY (DNS Public Key)

The zone publishes its public keys as DNSKEY records. There are two types:

  • Zone Signing Key (ZSK): Signs the individual record sets in the zone (A records, MX records, etc.)
  • Key Signing Key (KSK): Signs the DNSKEY record set itself. This creates a self-referencing trust anchor that the parent zone can vouch for.

DS (Delegation Signer)

The DS record lives in the parent zone (e.g., the .com zone for a .com domain) and contains a hash of the child zone's KSK. This is the link that chains trust between zones. The .com zone says "I vouch for this key for example.com," and example.com's DNSKEY records prove they hold the corresponding key.

NSEC/NSEC3 (Next Secure)

These records prove that a domain name does not exist (authenticated denial of existence). Without NSEC/NSEC3, an attacker could forge NXDOMAIN responses to make legitimate domains appear non-existent. NSEC3 is the newer variant that adds hashing to prevent zone enumeration (walking the entire zone to discover all domain names).

The Chain of Trust

DNSSEC validation works by walking the chain of trust from the root zone down:

  1. The root zone's KSK is hardcoded in validating resolvers as the trust anchor
  2. The root zone's DS record for .com vouches for the .com zone's KSK
  3. The .com zone's DS record for example.com vouches for example.com's KSK
  4. The example.com KSK validates the DNSKEY records, which contain the ZSK
  5. The ZSK validates the RRSIG signatures on individual record sets
  6. If every link in this chain is valid, the resolver accepts the response as authenticated

If any link breaks — an expired signature, a missing DS record, a key mismatch — the resolver returns SERVFAIL. This is by design: DNSSEC's security guarantee requires rejecting unverifiable responses rather than silently accepting them.

Should You Enable DNSSEC?

The short answer: yes, for most organizations, but with proper monitoring in place.

Arguments For

  • Protection against cache poisoning and response forgery. This is the core value. DNSSEC makes it cryptographically impossible to forge DNS responses without the zone's signing keys.
  • Enables DANE/TLSA. DANE allows you to pin TLS certificates in DNS, providing an alternative to the CA trust model. This requires DNSSEC to be meaningful.
  • Required for DNS-AID. The emerging AI agent discovery specification depends on DNSSEC for trust verification. Organizations planning to publish AI agents via DNS will need DNSSEC.
  • Compliance requirements. Some regulatory frameworks and government standards (including NIST and certain EU directives) recommend or require DNSSEC for public-facing domains.
  • Growing resolver support. Google Public DNS (8.8.8.8), Cloudflare (1.1.1.1), Quad9 (9.9.9.9), and most major ISP resolvers now validate DNSSEC. The protection is only effective when resolvers validate, and the majority now do.

Arguments Against

  • Operational complexity. DNSSEC requires ongoing key management: ZSK rotation (typically every 1-3 months), KSK rotation (typically annually), signature refresh before expiration, and DS record updates at the parent zone during KSK rollovers.
  • Failure mode is severe. A misconfigured DNSSEC deployment doesn't degrade gracefully. It causes SERVFAIL on all validating resolvers, taking your domain offline for a significant portion of the internet. The .de outage demonstrated this at TLD scale.
  • Increased DNS response size. DNSSEC signatures add significant data to DNS responses, which can cause issues with UDP packet size limits and increase the risk of DNS amplification attacks.
  • Doesn't encrypt queries. DNSSEC provides authentication and integrity, not confidentiality. DNS queries and responses are still visible to network observers. DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) address confidentiality.

The Bottom Line

The benefits of DNSSEC outweigh the risks for most organizations, provided you have monitoring in place to catch configuration issues before they cause outages. The organizations that get burned by DNSSEC are the ones that enable it and forget about it, missing expired signatures or botched key rollovers until users start complaining.

How to Enable DNSSEC

The good news: most modern DNS providers handle the complexity of DNSSEC signing automatically. You don't need to manage keys and signatures manually. The process varies by provider but follows a general pattern.

Cloudflare

Cloudflare makes DNSSEC a one-click enable. In the Cloudflare dashboard, go to DNS → Settings → DNSSEC and click "Enable DNSSEC." Cloudflare displays the DS record values that you need to add at your domain registrar. Copy the DS record (key tag, algorithm, digest type, and digest) to your registrar's DNSSEC settings. Cloudflare handles all key generation, signing, rotation, and signature refresh automatically.

AWS Route 53

Route 53 supports DNSSEC signing for public hosted zones. In the Route 53 console, select your hosted zone, go to the DNSSEC signing tab, and enable signing. Route 53 uses AWS KMS for key management. After enabling, you need to create a chain of trust by adding the DS record to the parent zone (at your registrar). Route 53 handles ZSK rotation automatically but KSK rotation requires manual steps.

Google Cloud DNS

Google Cloud DNS supports DNSSEC with automatic signing. Enable it in the Cloud DNS console under your zone's DNSSEC settings. Google provides the DS record to add at your registrar. Key rotation is handled automatically.

GoDaddy

If GoDaddy is both your registrar and DNS provider, DNSSEC can be enabled in the DNS management section. If you use GoDaddy as registrar but a different DNS provider, you'll need to add the DS record provided by your DNS provider in GoDaddy's domain settings under DNS → DNSSEC.

The General Pattern

  1. Enable DNSSEC signing at your DNS provider — they generate keys and sign your zone
  2. Copy the DS record to your registrar — this establishes the chain of trust at the parent zone
  3. Verify the chain — use the DNS lookup tool at dnsassistant.com/tools to query your DNSKEY and DS records and confirm they're published correctly
  4. Set up monitoring — this is the step most organizations skip, and it's the most important one

Key Rollover: Where Things Go Wrong

The most dangerous operational task in DNSSEC is key rollover, the process of replacing an existing signing key with a new one. This must be done periodically (keys have a finite lifetime) and must be coordinated carefully between the zone's signing infrastructure and the parent zone's DS record.

ZSK Rollover

Zone Signing Keys are rotated more frequently (every 1-3 months). The standard approach is "pre-publication":

  1. Publish the new ZSK in the DNSKEY record set alongside the old one
  2. Wait for the old DNSKEY TTL to expire (so all resolvers have the new key cached)
  3. Start signing with the new ZSK
  4. Remove the old ZSK after its signatures expire

Most DNS providers handle this automatically.

KSK Rollover

Key Signing Key rollovers are higher risk because they require updating the DS record at the parent zone. The standard approach is "double-DS":

  1. Generate the new KSK and publish it in the DNSKEY record set
  2. Add the new KSK's DS record at the parent zone (at your registrar) alongside the old DS record
  3. Wait for both DS records to propagate
  4. Start signing the DNSKEY set with the new KSK
  5. Remove the old DS record from the parent zone
  6. Remove the old KSK from the DNSKEY record set

The danger is in the timing. If you remove the old DS record before the new one has propagated, or start signing with the new KSK before the new DS record is in place, resolvers can't validate the chain of trust. The result is SERVFAIL for your entire domain.

This is exactly what happened during the .de outage: DENIC's signing system produced non-validatable signatures during a scheduled KSK rollover, and millions of domains became unreachable for hours.

DNSSEC Failure Modes

Understanding how DNSSEC breaks helps you know what to monitor:

Expired RRSIG Signatures

Every RRSIG has an expiration timestamp. If your signing infrastructure stops refreshing signatures (due to a crash, a misconfiguration, or a key management failure), the existing signatures will eventually expire. Once they do, every validating resolver returns SERVFAIL for your domain. This failure is time-delayed, which makes it particularly insidious: the signing system can fail today and the outage won't manifest until the signatures expire days or weeks later.

DS / DNSKEY Mismatch

If the DS record at the parent zone doesn't match any DNSKEY in your zone, the chain of trust is broken. This happens during botched KSK rollovers or when the DS record is accidentally removed or modified at the registrar.

Algorithm Mismatch

The DS record specifies the signing algorithm. If your zone uses a different algorithm than what the DS record declares, validation fails. This typically happens during algorithm upgrades.

NSEC/NSEC3 Issues

As the .de outage demonstrated, broken signatures on NSEC3 records can make even unsigned child zones unresolvable. This is because resolvers need valid NSEC3 signatures to prove the absence of DS records for unsigned domains.

How to Verify Your DNSSEC Configuration

After enabling DNSSEC, verify the full chain:

Check Your Records

Use the DNS lookup tool at dnsassistant.com/tools to query:

  • DNSKEY records for your domain — you should see at least two keys (KSK and ZSK)
  • DS records for your domain — query the parent zone to confirm the DS record exists and matches your KSK
  • RRSIG records — confirm that signatures exist and check their expiration dates

Run a Domain Risk Report

The Free Domain Risk Report includes DNSSEC validation as part of its comprehensive scan. It checks whether DNSSEC is enabled, whether the chain of trust is intact, and flags any configuration issues.

Monitor Continuously

Point-in-time checks tell you DNSSEC is working right now. They don't catch the signature that expires next Tuesday, the KSK rollover that fails at 3 AM, or the DS record that someone accidentally deletes during a registrar migration.

DNS Assistant monitors your DNSSEC chain of trust continuously:

  • Signature expiration tracking: Alerts before RRSIG signatures expire, giving you time to fix signing issues before they cause outages
  • Chain of trust validation: Verifies that DS records match DNSKEY records and that the full chain from root to your domain is intact
  • Key change detection: Alerts when DNSKEY or DS records change, whether from a planned rollover or an unauthorized modification
  • SOA serial monitoring: Detects zone changes that may indicate re-signing events
  • Multi-channel alerts: Email, Slack, Microsoft Teams, webhooks, and SMS ensure your team knows about DNSSEC issues immediately

DNSSEC Best Practices

  1. Use a provider that handles signing automatically. Cloudflare, Route 53, Google Cloud DNS, and most major providers manage ZSK rotation and signature refresh automatically. Don't run your own signing infrastructure unless you have a dedicated DNS engineering team.
  2. Monitor RRSIG expiration. This is the most common cause of DNSSEC outages. Know when your signatures expire and ensure your signing infrastructure is refreshing them well before the deadline.
  3. Test KSK rollovers in staging first. If your provider requires manual KSK rollover steps, practice the process on a non-production domain before doing it on your primary domain.
  4. Keep both old and new DS records during rollovers. The double-DS method is safer than the double-signature method for KSK rollovers. Only remove the old DS record after confirming the new one has fully propagated.
  5. Have a rollback plan. Know how to disable DNSSEC quickly if something goes wrong. This typically means removing the DS record at the registrar. Once the DS record's TTL expires, resolvers stop validating and your domain resolves normally again (without DNSSEC protection).
  6. Set up monitoring before you enable DNSSEC. DNS Assistant should be tracking your domain's records before you flip the switch, so you have a baseline and immediate visibility into any issues the enabling process causes.

Get Started

DNSSEC is a meaningful security improvement for any domain, but only when it's properly managed and monitored. The difference between a well-run DNSSEC deployment and a catastrophic outage is visibility: knowing when signatures are expiring, when keys are changing, and when the chain of trust is at risk.

Check your current setup: Use the DNS lookup tool to query your DNSKEY and DS records, or run a Free Domain Risk Report for a full DNSSEC validation alongside DNS, email authentication, and TLS checks.

For continuous DNSSEC monitoring with real-time alerting, sign up at dnsassistant.com.

Top comments (0)