Diagnostic suite · live

DNSSEC — the chain of trust for DNS

How DNSSEC signs DNS records, what DS and DNSKEY do, and the operational risks of getting it wrong.

Illustration of a cryptographic chain linking a root anchor through padlocks to a leaf domain, representing the DNSSEC chain of trust

DNSSEC — the chain of trust for DNS

How DNSSEC signs DNS records, what DS and DNSKEY do, and the operational risks of getting it wrong.

10 min read

DNS was designed in 1983 with zero authentication. Any resolver on any hop could return any answer, and you had no way to tell if it was the real one. DNSSEC — DNS Security Extensions — retrofits cryptographic signatures onto DNS so that validating resolvers can prove an answer came from the true authoritative server and wasn't modified in transit. It is not a perfect solution and it has a well-earned reputation for operational fragility, but for high-value domains it's the only defense against a broad class of DNS poisoning attacks.

The problem DNSSEC solves

Without DNSSEC, if an attacker can inject a forged response into a recursive resolver's cache — via BGP hijacking, off-path attacks like the classic Kaminsky bug, or simply operating a rogue resolver — every user of that resolver gets pointed at the attacker's IP. The user's browser sees the "correct" hostname in the address bar and connects to a server the attacker controls. TLS mostly saves you at this point (the cert won't match), but plenty of protocols don't have that fallback.

DNSSEC ensures that every response is signed by a key whose public counterpart chains, hash-by-hash, all the way to the DNS root — a public key that every validating resolver has hard-coded. If the signature doesn't validate, the resolver refuses to return the answer at all.

The chain of trust in one paragraph

The DNS root zone is signed by ICANN's Key Signing Key (KSK). The root publishes a DS record for every TLD (.com, .net, .io) that says "this TLD's zone signing key hashes to X." Each TLD zone in turn publishes DS records for signed second-level domains ("yourdomain.com's ZSK hashes to Y"). Your zone signs its own records with its ZSK. To verify www.yourdomain.com, a resolver walks up: fetch the A record and its RRSIG, verify with your ZSK; fetch your ZSK and its DS at .com, verify; fetch .com's ZSK and its DS at the root, verify; verify the root against the built-in trust anchor. If every link holds, the response is authentic.

The four record types you'll see

  • DNSKEY — the public keys used to sign your zone. Typically two: a KSK (used only to sign the DNSKEY set itself) and a ZSK (used to sign all other records).
  • RRSIG — the signature over a specific record set. Every signed record set has an RRSIG.
  • DS — a hash of your KSK, published at your parent zone (i.e. at the registrar). This is the link that ties your zone into the chain above you.
  • NSEC / NSEC3 — authenticated denial of existence. Proves that a queried name does not exist, without letting an attacker forge "no such record" responses. NSEC3 adds hashed names to prevent zone-walking enumeration.

Use our DNSSEC Checker to inspect all of these live for any domain.

What "enabling DNSSEC" actually involves

The mechanical steps look simple:

  1. Your DNS provider generates KSK and ZSK for the zone.
  2. Your DNS provider signs the zone — every record set gets an RRSIG.
  3. The provider hands you (or automatically pushes to your registrar via CDS/CDNSKEY) a DS record.
  4. Your registrar publishes the DS at the TLD. Once the TLD refreshes its zone, validating resolvers can now walk the chain.

All the danger lives in step 3 and 4. If the DS at the registrar does not match the actual KSK your DNS provider is signing with, every validating resolver in the world refuses to return your records. You will not see this from a non-validating resolver — the domain looks fine from a Comcast connection but resolves as SERVFAIL from Google 8.8.8.8. The failure mode is invisible on your end until customers start complaining they can't reach you.

Key rollover — the risky part

Keys should be rotated periodically. ZSK rollovers happen inside your DNS provider and never touch the registrar — low risk. KSK rollovers require pushing a new DS to the registrar, which has to be timed against TTLs so validating resolvers see both the old and new DS during the transition window. Get the timing wrong and the world stops resolving your domain.

The good news: modern DNS providers (Cloudflare, Route 53, NS1, most premium managed DNS) do automated key management with CDS/CDNSKEY-driven registrar updates. If your registrar supports the automation, DNSSEC becomes push-button and rollovers are hands-off. Cloudflare + a supporting registrar has famously moved DNSSEC from "expert-only" to "toggle in a dashboard."

Should you enable DNSSEC?

  • Yes if you're a bank, government agency, cryptocurrency exchange, healthcare provider, or anyone whose hostname being poisoned would produce direct financial or safety harm.
  • Yes if you use DANE/TLSA for email server authentication or SSHFP for SSH key pinning — those protocols require DNSSEC to work.
  • Yes, cautiously if you run consumer SaaS at scale — the reputational win is real, but only turn it on with a managed provider that handles rollovers.
  • Probably no for a personal blog or a low-stakes staging domain. The operational risk exceeds the security gain.

Testing that it's actually working

# Show DNSKEY and DS
dig +dnssec DNSKEY yourdomain.com
dig +dnssec DS yourdomain.com

# Query via a validating resolver and check the AD flag
dig @1.1.1.1 yourdomain.com +dnssec | grep flags
# You want to see 'flags: qr rd ra ad' — the 'ad' bit is the money

Or just paste the domain into our DNSSEC Checker and read the summary.

Related tools: DNSSEC Checker · DNS Lookup · TLSA / DANE Lookup

Frequently asked questions

For any high-value domain — banking, government, brand-critical infrastructure — yes. For a personal blog, the operational risk of a mis-rotated key outweighs the marginal security gain. If you enable it, use a managed DNS provider that handles the KSK/ZSK rotation for you.