DNSSEC
Secure your DNS with cryptographic signatures to prevent spoofing.
DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, preventing attackers from forging or modifying DNS responses. It's essential for DANE and adds an extra layer of security for all DNS-based email authentication.
How DNSSEC Works
- Your domain's DNS records are cryptographically signed
- Public keys are published in DNS (DNSKEY records)
- A chain of trust extends from the root DNS to your domain
- Resolvers verify signatures to ensure records haven't been tampered with
- Invalid signatures cause the query to fail (secure failure)
DNSSEC Record Types
| Record | Purpose |
|---|---|
| DNSKEY | Public key used to verify RRSIG signatures |
| RRSIG | Signature for a DNS record set |
| DS | Delegation Signer - links parent zone to child's DNSKEY |
| NSEC/NSEC3 | Authenticated denial of existence |
Enabling DNSSEC
DNSSEC requires support from both your DNS host and your domain registrar:
- Enable DNSSEC at your DNS provider
Your DNS host generates DNSKEY records and signs your zone. They provide DS record information.
- Add DS records at your registrar
Log into your registrar and add the DS record(s). This creates the chain of trust.
- Verify DNSSEC is working
Use tools like
dig +dnssecor online validators.
Registrars with DNSSEC Support
| Registrar | DNSSEC | Notes |
|---|---|---|
| Cloudflare Registrar | Full Support | One-click enable, automatic key rotation |
| Google Domains (now Squarespace) | Full Support | Easy setup in domain settings |
| Namecheap | Full Support | DS record management in Advanced DNS |
| GoDaddy | Full Support | Available in DNS Management |
| Gandi | Full Support | Excellent DNSSEC implementation |
| Porkbun | Full Support | Free DNSSEC with all domains |
| AWS Route 53 | Full Support | DNSSEC signing for hosted zones |
| Azure DNS | Full Support | DNSSEC for public zones |
| DNSimple | Full Support | Automatic DNSSEC management |
| Hover | Full Support | DS records in domain settings |
| 1&1 IONOS | Partial | Limited to some TLDs |
| HostGator | No | No DNSSEC support |
| Bluehost | No | No DNSSEC support |
Setting Up DNSSEC with Cloudflare
- Enable DNSSEC in Cloudflare
Go to DNS → Settings → Enable DNSSEC
- Copy the DS record
Cloudflare displays the DS record information you need
- Add DS record at registrar
Log into your registrar and add the DS record:
# Example DS record format example.com. 3600 IN DS 2371 13 2 abc123def456... # Fields: # 2371 - Key Tag # 13 - Algorithm (13 = ECDSA P-256) # 2 - Digest Type (2 = SHA-256) # abc123.. - Digest value
- Verify DNSSEC
Wait for propagation (up to 24 hours), then verify:
# Verify DNSSEC is working dig example.com +dnssec +short # Check the full chain dig example.com +trace +dnssec # Online validators: # - dnsviz.net # - dnssec-analyzer.verisignlabs.com
DNSSEC Risks
DNSSEC can cause your domain to become completely unreachable if misconfigured:
- DS record doesn't match DNSKEY at DNS provider
- Expired RRSIG signatures (key rotation issues)
- Changing DNS providers without updating DS records
Always test thoroughly and have a rollback plan ready.