What is DNSSEC?
DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, preventing attackers from forging DNS responses.
Without DNSSEC:
You → DNS resolver → Attacker's fake response → Phishing siteWith DNSSEC:
You → DNS resolver → Verifies signature → Rejects fake responseHow It Works
- The domain owner signs DNS records with a private key
- The public key is published as a DS record at the parent zone
- Resolvers verify the chain of trust from root → TLD → your domain
Key Record Types
| Record | Purpose |
|---|---|
| RRSIG | Signature for a DNS record set |
| DNSKEY | Public key used for verification |
| DS | Delegation Signer — links parent to child zone |
| NSEC/NSEC3 | Proves a record doesn't exist |
Enabling DNSSEC
At Your Registrar
Most registrars support DNSSEC activation:
- Generate DNSSEC keys (often automatic)
- Add DS record to parent zone (registrar does this)
- Sign your zone
With Cloudflare
If using Cloudflare DNS:
- Go to DNS → Settings
- Click Enable DNSSEC
- Copy the DS record details
- Add the DS record at your registrar
Verification
# Check if DNSSEC is active
dig +dnssec example.com
# Look for 'ad' flag (Authenticated Data)
dig +dnssec +multi example.com SOA
# Verify full chain
delv @8.8.8.8 example.com A +rtraceCommon Issues
| Issue | Cause | Fix |
|---|---|---|
| Resolution failures after enabling | DS record mismatch | Verify DS record matches DNSKEY |
| Intermittent failures | Expired signatures | Check RRSIG expiry dates |
| Cannot transfer domain | DNSSEC still active | Disable DNSSEC before transfer |
Warning If you change DNS providers, you must update DNSSEC records at both the old and new provider. Mismatched DNSSEC records will cause your domain to become unresolvable.
Tip If your domain is behind Cloudflare (proxy mode), Cloudflare handles DNSSEC automatically. You only need to add the DS record at your registrar once.