DNSSEC (Domain Name System Security Extensions) is a suite of specifications that adds cryptographic authentication to DNS data. It was designed to protect the internet from devastating attacks like DNS spoofing and cache poisoning, where a hacker redirects your traffic to a malicious server.
Is your website returning SERVFAIL errors? Check if your DNSSEC signatures are valid.
Standard DNS is like sending a postcard; anyone can read it or forge a fake one. DNSSEC fixes this by digitally signing every DNS record. When a user queries your A Record, they also receive an RRSIG (Resource Record Signature) to prove the IP address hasn't been tampered with.
But how do they know the signature itself is real? This is solved through a Chain of Trust:
DNSKEY record.DNSKEY is authentic, a cryptographic hash of it (the DS or Delegation Signer record) is given to your parent zone (e.g., the .com registry)..com registry signs your DS record with their own key, and their key is signed by the Global Root Zone (.).If any link in this cryptographic chain is broken, validating resolvers will reject the data and block access to the domain.
No. This is a common misconception. DNSSEC provides authentication (proving the data is real and unchanged), but not encryption (hiding the data from eavesdroppers). To encrypt DNS queries, you need protocols like DoH (DNS over HTTPS) or DoT (DNS over TLS).
If you had DNSSEC enabled at your old host and you changed your Nameservers without removing the old DS record at your domain registrar first, you broke the Chain of Trust. The internet is looking for the old cryptographic keys, but your new host doesn't have them. Always disable DNSSEC before migrating a domain!
Yes. Because TLSA records (used for DANE) rely on DNS to verify SSL certificates, the DNS response itself must be mathematically secure. Without DNSSEC, a hacker could simply spoof the TLSA record, defeating the entire purpose of DANE.