DNS

What is DNSSEC?

Also known as: DNS Security Extensions

Definition

DNSSEC (DNS Security Extensions) add cryptographic digital signatures to DNS records, enabling resolvers to verify that responses have not been tampered with or spoofed.

DNSSEC (DNS Security Extensions) is a set of protocol extensions to the Domain Name System that authenticate DNS responses using public-key cryptography. Standard DNS was designed without built-in security; a resolver trusts whatever answer a nameserver returns. DNSSEC changes that by having the authoritative zone operator sign each resource record set (RRset) with a private key. The corresponding public key is published in the zone as a DNSKEY record. A validating resolver fetches both the requested records and their signatures (RRSIG records), then verifies the signatures against the DNSKEY. The verification chain continues upward through parent zones via DS (Delegation Signer) records, ultimately reaching a trusted root anchor.

DNSSEC does not encrypt DNS data. It provides data origin authentication and integrity. A resolver can be certain that the answer came from the zone owner and was not modified in transit. This stops cache poisoning, man-in-the-middle attacks, and other forms of spoofing. DNSSEC was first specified in RFC 2535 (1999), then redesigned in the DNSSEC-bis documents (RFC 4033, RFC 4034, RFC 4035) in 2005. The root zone was signed in 2010. Today, DNSSEC validation is widely supported by public resolvers such as Google Public DNS, Cloudflare 1.1.1.1, and Quad9, and by many ISP resolvers.

DNSSEC sits on top of the existing DNS protocol. It does not change the query/response transport (UDP/53 or TCP/53), the zone transfer mechanism, or the DNS database structure. It adds new record types: RRSIG (signature), DNSKEY (public key), DS (delegation signer), NSEC/NSEC3 (authenticated denial of existence), and CDNSKEY/CDS (in-band key rollover). Deploying DNSSEC requires a zone operator to generate and manage signing keys, to sign the zone periodically, and to upload DS records to the parent zone. Validators on the resolver side must be configured with a trust anchor (usually the root anchor) to start the chain of trust. DNSSEC adoption is incomplete; many top-level domains and most second-level zones remain unsigned.

Key facts

  • DNSSEC authenticates DNS data via digital signatures. It does not encrypt or hide DNS queries.
  • Uses RRSIG and DNSKEY records attached to each DNS response.
  • Chain of trust starts from a trust anchor (e.g., the root zone public key).
  • Root zone was signed on 15 July 2010 (ceremony 1).
  • Defined in RFC 4033, RFC 4034, RFC 4035 (2005), updating RFC 2535 (1999).

How it works in practice

A user types 'example.com' into a browser. The stub resolver queries a validating resolver. The resolver fetches the A record for example.com. It also receives an RRSIG record. It fetches the DNSKEY for example.com from its authoritative nameserver. It verifies the RRSIG against that DNSKEY. Then it fetches the DS record for example.com from the .com TLD servers, and the DNSKEY for .com from the root servers. It walks up the chain to the root trust anchor. If any signature fails or any DS does not match, the resolver returns SERVFAIL and the browser shows an error.

Related terms

DNS RRSIG DNSKEY DS record NSEC DNSSEC validation Trust Anchor

References

More in DNS

A Record

A DNS resource record that maps a hostname to a 32-bit IPv4 address. It is the most fundamental record type for translating domain names to numeric addresses on the Internet.

AAAA Record

A DNS resource record that maps a hostname to a 128-bit IPv6 address, analogous to the A record for IPv4.

Authoritative DNS

An authoritative DNS server holds the definitive resource records for a specific domain and responds to queries with the final answer for that zone, not a cached copy.

CAA Record

A CAA (Certification Authority Authorization) DNS record lets domain owners specify which certificate authorities are permitted to issue SSL/TLS certificates for their domain.

CNAME Record

A DNS record that maps an alias hostname to the true or canonical hostname, allowing multiple names to resolve to the same IP address without duplicating A or AAAA records.

DNS

The Domain Name System (DNS) is a hierarchical, distributed naming system that translates human-readable domain names (like example.com) into IP addresses and other resource records used by internet protocols.

DNS Anycast

DNS Anycast uses one IP address served from multiple geographically distributed nameservers; queries are routed to the nearest or healthiest node, improving resilience and reducing latency.

DNS Caching

DNS caching stores resolved domain name query results for the specified TTL duration to avoid repeated queries to upstream authoritative servers.

DNS Hijacking

DNS hijacking is an attack or misconfiguration that returns forged DNS responses, causing users to connect to attacker-controlled hosts instead of the intended server.

DoH

DNS over HTTPS (DoH) encrypts DNS queries and responses inside HTTPS traffic, preventing on-path observers from seeing or tampering with DNS lookups.

Who Is Online

In total there are 79 users online: 0 registered, 73 guests and 6 bots.

Bots: Facebook Googlebot Majestic Other Bot Other Spider SemrushBot

Users active in the past 15 minutes. Total registered members: 340