DNS Security
DNSSEC Explained: How DNS Records Are Authenticated
11 min read · Updated 2026-06-19
Plain DNS was designed to be fast and simple, not secure. When a resolver looks up example.com, nothing in the answer proves it actually came from the domain's real operator — an attacker who can inject a forged response (for example by cache poisoning) can hand a resolver a spoofed address and quietly redirect users. DNSSEC (DNS Security Extensions) closes that gap by letting zones cryptographically sign their records so a resolver can verify the data is authentic and hasn't been tampered with.
One clarification up front, because it's the most common misconception: DNSSEC provides authenticity and integrity — proof of who an answer came from and that it wasn't altered. It does not provide confidentiality. DNSSEC does not encrypt your queries; that is a separate concern handled by DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT). This guide explains what DNSSEC is, the records that make it work, the chain of trust from the root zone down, and the real operational risks of turning it on.
The problem DNSSEC solves
Classic DNS has no built-in way to authenticate an answer. A resolver sends a query, accepts the first plausible-looking response, and caches it. There is no signature, no proof of origin, and no integrity check — so a forged reply that arrives at the right moment is indistinguishable from the real thing.
That weakness enables cache poisoning (also called DNS spoofing): an attacker injects a fraudulent record into a resolver's cache, and every user of that resolver is then steered to an attacker-controlled server — for a website, a mail host, or anything else the domain points to. Because the poisoned record is cached, a single successful injection can affect many users until the record's TTL expires.
DNSSEC addresses exactly this: it lets a resolver verify that the records it received were published by the domain's real operator and were not modified in transit. A forged answer simply won't carry a valid signature, so a validating resolver can reject it.
What DNSSEC is (and what it is not)
DNSSEC is a set of extensions to DNS — defined in RFC 4033, 4034, and 4035 — that add cryptographic signatures to DNS data. A zone operator signs the records in their zone with a private key and publishes the corresponding public key in DNS. A validating resolver can then check each answer's signature against that key and confirm two things:
- Origin authentication — the data really was published by the zone that's supposed to own it.
- Data integrity — the data wasn't altered between being signed and being received.
What DNSSEC deliberately does not do is just as important:
- It does not encrypt anything. DNSSEC-signed records — and the queries that fetch them — travel in the clear. Anyone on the path can still see which domains you look up. Confidentiality is the job of DoH/DoT, not DNSSEC.
- It does not change the answers themselves. A signed
Arecord returns the same address as an unsigned one; DNSSEC just lets the resolver prove that address is genuine.
Think of DNSSEC as a tamper-evident seal on DNS data, not a sealed envelope.
The key record types
DNSSEC introduces a handful of new record types that work together. You rarely edit these by hand — your DNS host generates them when you sign the zone — but understanding what each one is for makes the rest of DNSSEC much clearer.
| Record | Lives in | Purpose |
|---|---|---|
RRSIG | The signed zone | A cryptographic signature over a set of records (an "RRset"). Proves that RRset is authentic and unmodified. |
DNSKEY | The signed zone | The zone's public key(s). Resolvers use these to verify the zone's RRSIG signatures. |
DS | The parent zone | Delegation Signer: a hash of a child's DNSKEY, published by the parent to vouch for the child's key and link it into the chain of trust. |
NSEC / NSEC3 | The signed zone | Authenticated denial of existence — a signed, verifiable way to prove that a name or record type genuinely does not exist. |
A few details worth holding onto:
- An
RRSIGcovers an RRset (all records of one type at one name), not a single record, and it carries validity dates — signatures expire and must be refreshed. - The
DSrecord is the linchpin of delegation: it lives in the parent zone, not the child, which is why publishing it is a separate step from signing (more below). NSEC3(RFC 5155) is a hashed variant ofNSECthat makes it harder to "walk" a zone and enumerate every name in it. Both let a resolver trust a "this doesn't exist" answer instead of taking it on faith.
The chain of trust: root → TLD → your domain
DNSSEC's signatures are only meaningful if you can trust the keys that made them. DNSSEC solves this with a chain of trust that follows the same hierarchy as DNS delegation itself.
At the top sits the root zone, whose key is the trust anchor — a public key that validating resolvers are configured to trust inherently. From there, each level vouches for the one below it:
- The root zone publishes a
DSrecord for each top-level domain (TLD), derived from that TLD'sDNSKEY. - The TLD (for example
.com) in turn publishes aDSrecord for your domain, derived from your domain'sDNSKEY. - Your domain (
example.com) signs its own records and publishes itsDNSKEY.
A validating resolver walks this chain from the bottom up: it checks your records against your DNSKEY, confirms your DNSKEY matches the DS in the TLD, confirms the TLD's key matches the DS in the root, and confirms the root key against its trust anchor. If every link holds, the answer is trusted. Each DS record in a parent zone is what ties a child's keys into the chain — break that link and validation for the child fails.
ZSK vs. KSK: why there are two kinds of key
Conceptually a zone uses two roles of signing key, which lets operators rotate keys without re-coordinating with the parent every time:
- The Key-Signing Key (KSK) signs only the
DNSKEYRRset — the set of the zone's public keys. The KSK is the key the parent'sDSrecord points at, so it's the anchor of the zone within the chain of trust. - The Zone-Signing Key (ZSK) signs all the other records in the zone (the
A,MX,TXTrecords, and so on).
The payoff: because only the KSK is referenced by the parent's DS, the operator can roll the ZSK frequently and freely without touching anything at the registrar, and roll the KSK on a slower schedule when the DS does need updating. (Some setups simplify this to a single Combined Signing Key — a CSK — that plays both roles; the KSK/ZSK split is conceptual, not mandatory.)
How a validating resolver checks an answer
When a DNSSEC-aware (validating) resolver receives a signed answer, it does roughly the following:
- Fetch the requested RRset along with its
RRSIGsignature. - Fetch the zone's
DNSKEYand verify theRRSIGwas produced by the matching key and is still within its validity dates. - Walk up the chain of trust — confirm the zone's key matches the
DSin the parent, and so on up to the root trust anchor. - If every signature and link validates, return the answer as authenticated.
And critically, if any step fails — a missing, expired, or mismatched signature, or a broken link in the chain — the resolver does not fall back to the unsigned answer. It treats the data as untrustworthy and returns SERVFAIL to the client. From the user's point of view, the domain simply fails to resolve. That fail-closed behavior is what makes DNSSEC protective, and also what makes a misconfiguration so disruptive.
What DNSSEC does NOT protect against
DNSSEC is narrowly scoped on purpose. Knowing its limits keeps you from relying on it for things it was never meant to do:
- It does not encrypt your queries. Observers can still see which domains you look up. For privacy on the wire you want DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) — separate technologies that solve confidentiality, not authenticity.
- It does not stop DDoS attacks. DNSSEC does nothing to protect your nameservers from being flooded with traffic — and because signed responses are larger, DNSSEC can even be abused as an amplification vector.
- It does not protect a compromised registrar or DNS account. If an attacker takes over your registrar login or DNS host and re-signs the zone with their own keys, the records will validate perfectly — they're "authentically" wrong. DNSSEC authenticates data, not the humans and accounts behind it.
- It does not secure the application layer. It says nothing about TLS certificates, HTTPS, or whether the server you reach is honest once you get there.
DNSSEC answers exactly one question — "did this DNS data really come from the zone that owns it, unaltered?" — and answers it well. It is one layer in a defense-in-depth stack, not a complete one.
Enabling DNSSEC: both halves are required
Turning DNSSEC on is a two-part operation, and getting only one part done is worse than doing nothing:
- Sign the zone at your DNS host. Your DNS provider generates the keys, signs your records (producing the
RRSIG,DNSKEY, andNSEC/NSEC3records), and serves the signed zone. This is usually a single toggle in the provider's control panel. - Publish the
DSrecord at the registrar (the parent). Your DNS host gives you theDSrecord (or theDNSKEYdetails to build it); you enter it at your domain registrar, which passes it to the TLD's parent zone. This is the link that ties your signed zone into the chain of trust.
Both halves must be present and must match. Signing the zone without publishing a DS means no resolver knows to validate you — DNSSEC is effectively off. Publishing a DS that doesn't match your actual keys is far worse: validating resolvers will try to verify, fail, and return SERVFAIL, taking your domain offline for those users.
If your DNS host and your registrar are the same company, this is often a single one-click action; when they're different, you must coordinate the two steps yourself, and a clean key change should propagate the new DS before retiring the old key.
The operational risk: DNSSEC can take a domain offline
The same fail-closed design that makes DNSSEC protective makes it unforgiving. Any of these can make your domain stop resolving for validating resolvers:
- Expired signatures.
RRSIGrecords have validity dates and must be re-signed before they lapse. If the automated re-signing breaks and a signature expires, validation fails. - A mismatched
DS. If you roll your keys at the DNS host but theDSat the registrar still points at the old key (or vice versa), the chain of trust breaks. - Moving DNS hosts carelessly. Transferring a signed domain without first coordinating the keys and
DSacross the old and new providers is a classic way to take a domain down.
Note the failure is selective and confusing: users behind non-validating resolvers see the site fine, while users behind validating resolvers get SERVFAIL and a domain that appears completely dead. That makes DNSSEC outages hard to diagnose. The mitigations are to let a reputable DNS host manage signing and key rollovers automatically, and to change keys and DS records carefully and in the right order.
How to check whether a domain is DNSSEC-signed
You can confirm a domain's DNSSEC status with a DNS lookup. On who.is, use the DNS lookup tool: enter the domain and look for the DNSSEC-related records — a signed zone will publish DNSKEY and RRSIG records, and a domain wired into the chain of trust will have a DS record at its parent.
It's also worth checking the domain's nameservers and WHOIS data so you know which provider is authoritative — that's the provider that signs the zone and supplies the DS you publish at the registrar. If you've just enabled DNSSEC, remember that the DS record, like any DNS change, is subject to caching and propagation delays before every resolver sees it.
Key takeaways
- DNSSEC cryptographically signs DNS records so resolvers can verify they’re authentic and unmodified — it provides origin authentication and data integrity, defending against cache poisoning and spoofed answers.
- DNSSEC does NOT encrypt anything. It provides authenticity, not confidentiality — query privacy is the job of DoH/DoT, a separate technology.
- The core records are RRSIG (signatures over record sets), DNSKEY (the zone’s public keys), DS (a hash of a child’s key, published in the PARENT zone), and NSEC/NSEC3 (authenticated proof a name doesn’t exist).
- A chain of trust runs root → TLD → your domain; each level’s DS record in the parent vouches for the child’s keys, anchored at the root trust anchor.
- Validating resolvers fail closed: if a signature is missing, expired, or mismatched, they return SERVFAIL rather than serving the answer — so a broken DNSSEC setup can take a domain offline.
- Enabling DNSSEC requires BOTH signing the zone at your DNS host AND publishing the matching DS record at your registrar — doing only one half is broken.
Look up a domain’s DNS records
Inspect the DNS records and configuration of any domain on who.is.
Frequently asked questions
Does DNSSEC encrypt my DNS traffic?▾
No. DNSSEC provides authenticity and integrity, not confidentiality — it lets a resolver prove an answer is genuine and unmodified, but the records and the queries that fetch them still travel in the clear. Anyone on the network path can still see which domains you look up. If you want your DNS traffic encrypted, that's the job of DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT), which are separate from DNSSEC.
What's the difference between DNSSEC and DoH/DoT?▾
They solve different problems and are complementary. DNSSEC authenticates the data — it proves a DNS answer really came from the domain's owner and wasn't tampered with, but it doesn't hide the answer. DoH/DoT encrypt the connection between you and your resolver, hiding which domains you query from on-path observers, but they don't prove the answer is authentic. You can use both: DoH/DoT for privacy, DNSSEC for trustworthiness.
What is a DS record?▾
A DS (Delegation Signer) record is a hash of a child zone's signing key, published in the parent zone. It's the link in the DNSSEC chain of trust: your domain's DS record lives in your TLD's zone (placed there via your registrar) and vouches that your domain's DNSKEY is genuine. Without a matching DS at the parent, validating resolvers have no signed way to trust your keys, so your zone isn't part of the chain.
Can DNSSEC break my domain?▾
Yes, if it's misconfigured. Validating resolvers fail closed: when a signature is expired, a key is mismatched, or the DS at the registrar doesn't match the zone's keys, the resolver returns SERVFAIL instead of serving the answer — so the domain stops resolving for everyone behind a validating resolver, even though users behind non-validating ones still see it fine. Common causes are expired RRSIG signatures, a stale DS after a key change, and careless DNS-host migrations. Letting a reputable provider manage signing and key rollovers, and changing keys and DS records in the right order, avoids almost all of these.
Should I enable DNSSEC?▾
For most domains it's worth enabling — it meaningfully reduces the risk of spoofing and cache poisoning. The main caveat is operational: enabling it requires both signing the zone and publishing a matching DS at your registrar, and a broken signature or bad DS can take the domain offline for validating resolvers. The safest path is to use a DNS host (ideally one that's also your registrar) that automates signing and key rollovers so the expiry and key-mismatch risks are handled for you.
Does DNSSEC protect me if my registrar account is hacked?▾
No. DNSSEC authenticates DNS data, not the accounts behind it. If an attacker takes over your registrar or DNS-host login, they can re-sign your zone with their own keys and update the DS record — and those forged records will validate perfectly. DNSSEC also doesn't stop DDoS attacks or secure anything at the application/TLS layer. It's one layer of defense (authenticity of DNS answers), so pair it with strong account security and the rest of your security stack.