DNS vs DNSSEC: What's the Difference?
DNS (Domain Name System) translates human-readable domain names into the IP addresses computers use to communicate. DNSSEC adds a layer of cryptographic verification on top of DNS, ensuring that the IP address you receive hasn't been tampered with. DNS tells you where to go; DNSSEC proves the directions are trustworthy.
What DNS does
Every time you visit a website, your device queries the DNS system to find out what IP address hosts that domain. DNS is a hierarchical, distributed database managed across millions of servers worldwide.
The lookup process:
This process typically takes 20–120 milliseconds. The DNS system handles trillions of queries daily and was designed for speed and resilience — not security.
What DNSSEC adds
DNSSEC extends DNS with digital signatures at each step of the lookup chain. Key additions:
DNSKEY records — Published by each zone, containing the public keys used to verify signatures in that zone.
RRSIG records — Digital signatures covering each DNS record set. Resolvers use the zone's public key to verify these signatures before accepting the data.
DS records — Delegation Signer records published in the parent zone, creating the link (chain of trust) between parent and child zones.
NSEC/NSEC3 records — Authenticated denial-of-existence records, proving that a queried name does not exist in the zone.
The chain of trust begins at the DNS root zone, whose KSK is managed by IANA and can be verified by anyone. From there, each zone is vouched for by its parent, all the way down to individual second-level domains.
DNS vs DNSSEC: side-by-side comparison
| Feature | DNS | DNSSEC |
|---|---|---|
| **Function** | Resolves names to IP addresses | Verifies DNS data authenticity |
| **Introduced** | 1983 (RFC 882/883) | 1997–2005 (RFC 2535, 4033–4035) |
| **Encryption** | None | Signatures (not encryption) |
| **Prevents cache poisoning** | No | Yes |
| **Prevents eavesdropping** | No | No (use DoH/DoT for this) |
| **ICANN required for TLDs** | Yes | Yes |
| **Registrant optional** | N/A | Yes (second-level domains) |
| **Performance impact** | Baseline | Slightly larger responses |
| **Failure mode** | Returns wrong answer silently | Returns SERVFAIL (visible error) |
When DNSSEC validation fails
A key behavioral difference: when DNS returns a bad answer (cache poisoning), your browser navigates to the attacker's site silently. When DNSSEC validation fails, the resolver returns a SERVFAIL error — the domain appears unreachable rather than being transparently hijacked.
This is actually desirable: a visible error is safer than an invisible redirect to a fraudulent server. Users or monitoring systems can detect SERVFAIL; they cannot detect silent DNS hijacking.
For TLD operators, this means DNSSEC signing mistakes — expired signatures, misconfigured rollover — create visible outages. This is why professional DNSSEC management (with 24/7 monitoring, automated signing, and HSM-based key protection) is essential, not optional.
Frequently Asked Questions
Does DNSSEC slow down DNS resolution?
DNSSEC validation adds a small amount of processing time on the resolver side and increases DNS response sizes (due to signatures). In practice, the added latency is typically 1–5ms for modern resolvers, which is negligible. ADG's Anycast network is optimized to minimize both DNS latency and DNSSEC overhead.
Can I use DNSSEC without an RSP?
Individual domain owners can enable DNSSEC through their registrar's control panel — this doesn't require an RSP. TLD operators (registry operators) do need RSP-level support since managing zone signing keys, key ceremonies, and DS record submissions at the TLD level requires specialized infrastructure.
Does DNSSEC prevent all DNS attacks?
DNSSEC prevents data authenticity attacks — cache poisoning, spoofing, and man-in-the-middle injection. It does not prevent Denial-of-Service (DoS/DDoS) attacks against DNS infrastructure, DNS query eavesdropping (use DoH/DoT for that), or registrar/registry account compromise.