DNSSEC
A layer of cryptographic signatures on DNS that lets computers verify the address they got for your domain is genuine and wasn't forged.
In plain English
When your computer asks “what's the address for this website?”, plain DNS has no way to prove the answer is real — someone could slip in a fake and send visitors to an impostor. DNSSEC signs those answers so they can be verified, like a tamper-evident seal running from the internet's root all the way down to your domain.
It's optional and still uncommon, but valuable for high-trust sites. One warning: a broken DNSSEC setup is worse than none — it can make your domain unreachable for many users.
How to fix / set it up
- Enable DNSSEC at your DNS host (it generates keys and signs the zone).
- Copy the resulting DS record to your domain registrar to anchor the chain.
- After any key change, update the DS. To turn DNSSEC off, remove the DS first, then unsign.
The technical detail
Your zone publishes a DNSKEY; a matching DS record at your registrar anchors it to the parent zone; a validating resolver confirms the whole chain (the AD flag). The dangerous states are a DS with no DNSKEY (a live outage) and a stale DS after a key rollover (validation fails).
Prefer modern algorithms (ECDSAP256SHA256/Ed25519) and SHA-256 DS digests; RSASHA1 and SHA-1 are deprecated.
FAQ
Is DNSSEC required?
No — it's an optional extra layer. If you enable it, configure it carefully: a broken chain is worse than none.
Why is 'DS but no DNSKEY' so serious?
The parent still vouches for a key your zone no longer serves, so validating resolvers refuse the domain — it goes offline for many users.