DNSSEC (DNS Security Extensions) adds cryptographic integrity verification to DNS. Without DNSSEC, there is no way to verify that a DNS response has not been tampered with in transit — a vulnerability exploited in DNS cache poisoning and spoofing attacks. DNSSEC uses public-key cryptography to sign DNS records, allowing resolvers to verify their authenticity.
The Problem DNSSEC Solves
Standard DNS has no authentication. An attacker who can inject false responses into a DNS resolver's cache (cache poisoning / Kaminsky attack) can redirect users from bank.com to a malicious server without the user knowing. DNSSEC prevents this by making tampered responses cryptographically invalid.
How DNSSEC Works
- The zone owner generates a key pair: a Zone Signing Key (ZSK) and a Key Signing Key (KSK).
- DNS records are signed with the ZSK, producing RRSIG records (Resource Record Signatures).
- The KSK signs the ZSK, and a hash of the KSK is stored in a DS record at the parent zone (TLD registry).
- Resolvers that support DNSSEC validate the chain of signatures from root → TLD → domain.
DNSSEC Records
- DNSKEY — Stores the public signing key for the zone.
- RRSIG — Cryptographic signature for a DNS record set.
- DS — Delegation Signer — a hash of the child zone's DNSKEY stored in the parent zone.
- NSEC/NSEC3 — Proves the non-existence of DNS records (prevents enumeration).
Should You Enable DNSSEC?
DNSSEC is recommended for domains that handle sensitive operations (banking, healthcare, authentication). Most major DNS providers (Cloudflare, Route 53) make DNSSEC easy to enable with a few clicks.