What is DNSSEC and how to enable it
DNSSEC cryptographically signs your DNS so answers can't be forged. Here's what it protects against, how it works, and the two-step process to enable it safely.
Plain DNS answers aren't authenticated — an attacker who can inject a response (cache poisoning, spoofing) can send visitors to the wrong server. DNSSEC adds cryptographic signatures so resolvers can verify an answer really came from the authoritative source and wasn't tampered with.
How it works#
- Your zone is signed with keys; the public keys live in DNSKEY records.
- A DS (Delegation Signer) record at your registrar links your zone's key to the parent zone, forming a chain of trust up to the root.
- Validating resolvers check the signatures and set the AD (Authenticated Data) flag when everything verifies.
Enable it in two steps#
- 1
Sign the zone at your DNS host
Turn on DNSSEC in your DNS provider's dashboard. It generates the keys and publishes DNSKEY records. Most managed hosts do this with one click.
- 2
Publish the DS record at your registrar
Copy the DS record (or key details) from your DNS host into your domain registrar. This is the step people forget — without it, the chain of trust is broken and DNSSEC isn't actually active.
Verify#
Check DNSSEC status (DNSKEY/DS presence and the AD flag) with the DNS Lookup tool. It reports whether your domain is validated, signed-but-not-chained, or unsigned.
Frequently asked questions
▸ ▾ Do I need DNSSEC?
It's optional but recommended, especially for domains handling logins, payments or email. It protects visitors from being silently redirected via forged DNS answers. It doesn't encrypt DNS (that's DoH/DoT) — it authenticates it.
▸ ▾ Can DNSSEC break my domain?
Yes, if misconfigured — most often a DS record at the registrar that doesn't match the zone's keys, which makes validating resolvers reject your domain. Enable it via your provider's automated flow and verify afterwards; when changing DNS hosts, coordinate the key rollover carefully.
▸ ▾ What's the difference between DNSSEC and DoH?
DNSSEC authenticates DNS answers (proves they weren't forged). DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) encrypt DNS queries (hide them from eavesdroppers). They solve different problems and can be used together.
Do it with a free tool
Related guides
Published 2026-07-09 · Updated 2026-07-09 · By Crawlsonar.