SecurityStatus
Sign In Scan Your Domain
How It WorksFeaturesKnowledge BaseComparePricing
Sign In Get Started
low DNS

DNSSEC

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that DNS responses have not been tampered with in transit. Without DNSSEC, attackers can perform DNS cache poisoning to redirect your visitors to malicious servers.

What SecurityStatus Checks

  • Whether DNSSEC is enabled and the DS record is published in the parent zone
  • Validity of DNSSEC signatures (RRSIG records)
  • Whether the chain of trust from the root zone to your domain is intact
  • Key signing key (KSK) and zone signing key (ZSK) presence

Why This Matters

DNS cache poisoning attacks redirect traffic at the DNS level — bypassing HTTPS and other protections. An attacker who poisons the DNS cache for your domain can intercept all traffic, including authenticated sessions. DNSSEC prevents this by making DNS responses verifiable, though it is not a substitute for HTTPS.

How to Fix It

  1. 1

    Enable DNSSEC at your DNS registrar

    Most registrars offer a one-click DNSSEC enable option in the domain management console. For GoDaddy, Namecheap, Cloudflare, and Google Domains this is in DNS settings. The registrar handles the key generation and DS record publication automatically.

  2. 2

    Enable DNSSEC at your DNS provider

    If your registrar and DNS provider are different, enable DNSSEC at the DNS provider first (they generate the keys), then copy the DS record to the registrar to establish the chain of trust.

  3. 3

    Verify the chain of trust

    Use DNSViz (dnsviz.net) to verify your DNSSEC configuration is correct end-to-end. It shows a visual map of the trust chain from the root.

  4. 4

    Monitor key rollovers

    DNSSEC keys must be periodically rotated. Most managed DNS providers handle this automatically. If you manage DNSSEC manually, set calendar reminders for key rollovers.

Frequently Asked Questions

Does DNSSEC encrypt my DNS queries?
No. DNSSEC signs DNS responses to prove they are authentic — it does not encrypt them. DNS over HTTPS (DoH) and DNS over TLS (DoT) are the mechanisms that encrypt DNS queries.
Is DNSSEC required?
Not required, but recommended. It is most critical for high-value domains like financial services, government sites, and anything where DNS hijacking would be catastrophic.
Will enabling DNSSEC break my DNS?
If configured correctly it will not. The risk is during key rollovers or if you switch DNS providers without properly migrating DNSSEC. Always verify with DNSViz after any DNSSEC change.

Related Guides

high SPF Record Read Guide low CAA Records Read Guide high Subdomain Takeover Read Guide

Check Your Domain Now

Run all 38 security checks including DNSSEC and get your domain's security grade in under 2 minutes.

Scan Your Domain Free