DNSSEC Explained: Signing the DNS
Plain DNS has no authentication: a resolver cannot tell a genuine answer from a forged one injected by an attacker (cache poisoning). DNSSEC fixes this by signing DNS records so their integrity and origin can be verified.
The records involved
| Record | Role |
|---|---|
| DNSKEY | The zone's public keys (KSK and ZSK) |
| RRSIG | A signature over a record set, made with a key |
| DS | A hash of the zone's KSK, published in the parent zone |
| NSEC/NSEC3 | Authenticated proof that a name does not exist |
The chain of trust
The root zone is the trust anchor every validating resolver ships with. Root signs the TLD's DS, the TLD signs your domain's DS, and your DNSKEY signs your records. A validating resolver walks this chain; if every link checks out it sets the AD (Authenticated Data) flag. If a signature is missing, expired, or a DS doesn't match, it returns SERVFAIL rather than a forged answer.
Turning it on
- Enable signing at your DNS host (it creates DNSKEY/RRSIG automatically).
- Copy the generated DS record to your registrar — this is the step people forget, and without it the chain is broken.
- Verify with our DNSSEC checker.
Note: DNSSEC provides authenticity, not privacy — it does not encrypt queries. For confidentiality use DNS-over-HTTPS/TLS. See also DNS record types.