The Domain Name System was designed in 1983 when the internet was a trusted academic network. There was no authentication โ€” resolvers simply believed whatever responses they received. DNSSEC (DNS Security Extensions) retrofits cryptographic verification onto this 40-year-old system.

The Problem: DNS Cache Poisoning

Without DNSSEC, an attacker can inject false DNS responses into a resolver cache. A famous example is the Kaminsky Attack (2008), which allowed attackers to redirect any domain to a malicious IP.

Once poisoned, every user of that resolver would be sent to the attacker server โ€” enabling phishing, malware distribution, and traffic interception.

How DNSSEC Works

DNSSEC adds four new record types:

  • RRSIG (Resource Record Signature): A cryptographic signature covering a set of DNS records. The resolver verifies this signature using the zone public key.
  • DNSKEY: Contains the public key used to verify RRSIG signatures.
  • DS (Delegation Signer): A hash of a child zone DNSKEY, stored in the parent zone. This creates the chain of trust.
  • NSEC/NSEC3: Proves that a domain does NOT exist (authenticated denial of existence).

The Chain of Trust

DNSSEC validation starts from the root zone, which is signed by ICANN/IANA. Your resolver has the root public key built-in (the "trust anchor").

  1. Query for example.com A record
  2. Resolver gets the response + RRSIG signed by example.com DNSKEY
  3. Resolver verifies example.com DNSKEY is signed by .com DNSKEY (via DS record)
  4. Resolver verifies .com DNSKEY is signed by root DNSKEY (via DS record)
  5. Root DNSKEY matches the built-in trust anchor โœ“

Why Is DNSSEC Adoption Slow?

  • Complexity: Key management, rollovers, and signing infrastructure are difficult.
  • No Encryption: DNSSEC provides authentication, not privacy. Use DoH/DoT for encryption.
  • Large Responses: Signatures increase DNS response size, risking fragmentation.
  • Breakage Risk: Misconfiguration can make your domain completely unresolvable.

Checking DNSSEC Status

You can verify if a domain uses DNSSEC with: dig +dnssec example.com

Look for the ad (authenticated data) flag in the response. Use our DNS Lookup tool to query any domain.