DNSSEC Explained
DNSSEC (Domain Name System Security Extensions) adds a layer of authentication to DNS. It lets resolvers verify that DNS records have not been tampered with in transit, protecting against attacks like cache poisoning and DNS spoofing.
The Problem DNSSEC Solves
Standard DNS was designed without built-in security. When a resolver receives a DNS response, it has no way to verify that the answer actually came from the legitimate nameserver. This opens the door to several attacks:
- Cache poisoning — an attacker injects forged DNS records into a resolver's cache, redirecting traffic to a malicious server. Users think they are visiting the real website but are actually connecting to a fake one
- DNS spoofing — an attacker intercepts a DNS query and returns a forged response before the legitimate nameserver can reply
- Man-in-the-middle — an attacker sits between the resolver and the nameserver, modifying responses in transit
All of these attacks exploit the same weakness: DNS responses are not authenticated. DNSSEC fixes this by cryptographically signing every DNS record.
How DNSSEC Works
DNSSEC uses public key cryptography to sign DNS records. Each zone (e.g., example.com) has a key pair:
- Zone Signing Key (ZSK) — signs the DNS records in the zone. The private key stays on the nameserver; the public key is published as a DNSKEY record
- Key Signing Key (KSK) — signs the DNSKEY records themselves. This provides a second layer of trust so that the ZSK can be rotated without updating the parent zone
When a resolver queries for example.com, it receives both the DNS record and a corresponding RRSIG (Resource Record Signature). The resolver uses the published DNSKEY to verify the signature. If the signature is valid, the answer is authentic. If not, the resolver rejects it.
The Chain of Trust
DNSSEC validation does not work in isolation — it relies on a chain of trust from the root zone down to your domain:
- Root zone — the root servers are signed, and their public keys are hardcoded into resolver software as the trust anchor
- TLD zone — the root zone contains a DS (Delegation Signer) record that links to the
.comzone's DNSKEY. This proves the.comnameserver's keys are legitimate - Your domain — the
.comzone contains a DS record that links to your domain's DNSKEY. This proves your nameserver's keys are legitimate
Each level vouches for the level below it. A resolver starts at the root (which it trusts by default), verifies the TLD, and then verifies your domain. If any link in the chain is broken or missing, validation fails.
DNSSEC Record Types
DNSSEC introduces several new DNS record types:
| Record | Purpose |
|---|---|
| DNSKEY | Contains the public key used to verify signatures |
| RRSIG | The cryptographic signature for a DNS record set |
| DS | Delegation Signer — links a parent zone to a child zone's key |
| NSEC/NSEC3 | Proves that a queried name does not exist (authenticated denial) |
These records are managed automatically by DNSSEC-enabled nameservers. You do not need to create them manually.
What DNSSEC Does Not Do
DNSSEC protects data integrity — it proves that DNS answers have not been altered. It does not:
- Encrypt DNS queries — queries and responses are still sent in plain text. For encryption, use DNS over HTTPS (DoH) or DNS over TLS (DoT)
- Protect against DDoS — DNSSEC does not prevent volumetric attacks against nameservers
- Guarantee website security — DNSSEC verifies the address, not the destination. A valid DNSSEC answer can still point to a compromised server
DNSSEC and encryption (DoH/DoT) complement each other. DNSSEC ensures answers are authentic; encryption ensures they are private.
Enabling DNSSEC on Sitequest
You can enable DNSSEC for your domains directly from the Sitequest dashboard:
- Go to Domains in your dashboard
- Select the domain you want to secure
- Open the DNSSEC tab
- Click Enable DNSSEC
Sitequest handles key generation, record signing, and DS record publication with the registry automatically. No manual key management is required.
After enabling, allow up to 24 hours for the DS records to propagate through the registry and resolvers to begin validating your domain.
Verifying DNSSEC
You can check whether DNSSEC is active and valid for a domain using public tools:
- dig — run
dig +dnssec example.comand look for RRSIG records in the response - Online validators — services like DNSViz or Verisign's DNSSEC Debugger visualize the chain of trust and flag any issues
A properly configured domain will show a complete chain from the root zone through the TLD down to your domain, with valid signatures at every level.
Common Issues
- Broken chain of trust — if the DS record at the registry does not match the DNSKEY on your nameserver, validation fails and resolvers may refuse to resolve your domain
- Expired signatures — RRSIG records have expiration timestamps. If the nameserver fails to re-sign records before expiration, validation fails
- Key rollover — when rotating keys, both old and new keys must be published during the transition period
These issues are handled automatically when using Sitequest's managed DNSSEC.
Next Steps
- Enable DNSSEC for your domains in the dashboard
- Learn how DNS works to understand the resolution chain
- Manage DNS records for your domains