What Is DNSSEC and Why Does It Matter?
DNSSEC adds cryptographic signatures to DNS records, preventing attackers from forging DNS responses. Here is how it works and why it matters.
What Is DNSSEC and Why Does It Matter?
DNS is the phone book of the internet — it translates domain names into IP addresses. By default, DNS responses have no authentication: a resolver has no way to verify that the response it received is the real one and not a forgery. DNSSEC fixes this.
The Problem DNSSEC Solves
DNS cache poisoning is an attack where a malicious actor injects forged DNS records into a resolver's cache. When a victim's browser asks where example.com is, the poisoned resolver returns the attacker's IP instead of the real one. The victim connects to a phishing site, believing it is the legitimate site.
Before DNSSEC, this was possible because DNS responses carried no proof of authenticity.
How DNSSEC Works
DNSSEC adds cryptographic signatures to DNS records. The chain works like this:
- The DNS zone owner generates a key pair (DNSKEY record in DNS).
- All records in the zone are signed with the private key (RRSIG records).
- A delegation signer (DS) record in the parent zone (e.g., .com) contains a hash of the child zone's public key.
- The parent zone's DS record is also signed.
- This chain continues up to the DNS root zone, which is signed with a well-known root key.
When a DNSSEC-aware resolver queries for example.com, it:
- Fetches the A record and its RRSIG signature.
- Fetches the zone's DNSKEY.
- Verifies the signature.
- Follows the DS chain up to the root.
- If the chain validates: the response is authentic.
DNSSEC Status Values
| Status | Meaning |
|---|---|
| Secure | DNSSEC enabled and all signatures valid |
| Insecure | DNSSEC not enabled for this zone |
| Bogus | DNSSEC enabled but signatures fail validation — potential attack |
| Indeterminate | Cannot determine status (parent zone issues) |
How ElasticDomain Checks DNSSEC
Every domain scan checks DNSSEC by looking for:
- DS records in the parent zone
- DNSKEY records in the domain's zone
- RRSIG records on DNS responses
- NSEC/NSEC3 records for authenticated denial of existence
The results appear in the DNS tab under DNSSEC Status.
DNSSEC Algorithms
| Algorithm | Status |
|---|---|
| ECDSA Curve P-256 with SHA-256 (13) | Recommended |
| ECDSA Curve P-384 with SHA-384 (14) | Recommended |
| Ed25519 (15) | Recommended |
| RSA/SHA-256 (8) | Acceptable |
| RSA/SHA-1 (5) | Deprecated |
| RSA/MD5 (1) | Critically deprecated |
| DSA/SHA-1 (3) | Critically deprecated |
Limitations of DNSSEC
DNSSEC protects DNS data integrity but does not:
- Encrypt DNS queries (DNS-over-HTTPS or DNS-over-TLS does that)
- Protect against a malicious authoritative nameserver
- Prevent the domain from being registered to the wrong person
DNSSEC is one layer in a defense-in-depth strategy, not a complete solution.
Should You Enable DNSSEC?
For any domain you own and care about: yes. The risk of cache poisoning is real, and enabling DNSSEC is a standard security practice for production domains. Most registrars and DNS providers support DNSSEC configuration in their control panels.