Documentation

What is DNSSEC and how to enable it

What is DNSSEC?

DNS Security Extensions (DNSSEC) add a layer of cryptographic signing to DNS responses. Without DNSSEC, anyone who can intercept or poison DNS traffic could redirect your domain's visitors to a fraudulent server — without the victims ever knowing.

DNSSEC allows a resolver to verify that the DNS answer it received was actually published by your authoritative nameserver and has not been tampered with in transit.

It does not encrypt DNS queries (for that, see DNS-over-HTTPS or DNS-over-TLS). It only authenticates the answers.

The threat: DNS cache poisoning

A DNS cache poisoning attack works like this:

  1. An attacker sends forged DNS responses to a resolver.
  2. The resolver caches the fraudulent record.
  3. Users querying that resolver are directed to the attacker's server.
  4. The attacker can intercept traffic, serve malware, or steal credentials — all while the domain name in the browser looks correct.

High-profile attacks of this type have redirected banking sites, registrar login pages, and email services.

What to do

Step 1 — Check if DNSSEC is already enabled

Look for RRSIG records in a DNS lookup:

dig +dnssec yourdomain.com

If the response includes RRSIG records, DNSSEC is active.

Step 2 — Enable DNSSEC at your DNS provider

DNSSEC configuration is typically a single toggle in your DNS provider's control panel. The provider generates the key pairs and publishes the DNSKEY, RRSIG, and NSEC/NSEC3 records automatically.

Providers with built-in DNSSEC support include: Cloudflare, AWS Route 53, Google Cloud DNS, Gandi, Namecheap, and most modern registrars.

Step 3 — Submit the DS record to your registrar

After enabling DNSSEC at your DNS provider, you need to submit a DS (Delegation Signer) record to your domain registrar. This links the trust chain from the root zone down to your domain.

Your DNS provider will give you the DS record values. Paste them into the DNSSEC section of your registrar's control panel.

If your DNS provider and registrar are the same company (e.g. Cloudflare for both), this step is often automatic.

Step 4 — Verify the trust chain

Test that the full chain of trust is intact:

dig +dnssec DS yourdomain.com @8.8.8.8

Or use dnssec-analyzer.verisignlabs.com for a visual trust chain check.

Important: keep DNSSEC maintained

If you migrate DNS providers, you must carefully coordinate the transition. Removing DNSSEC records or changing nameservers without updating the DS record at the registrar will cause DNSSEC validation failures, making your domain completely unreachable for resolvers that enforce DNSSEC. Always:

  1. Disable DNSSEC at the registrar before changing nameservers.
  2. Re-enable DNSSEC after the new nameservers are live.

Last updated: March 28, 2026