What is DNSSEC? How It Works
DNSSEC (Domain Name System Security Extensions) adds cryptographic authentication to DNS, preventing attackers from redirecting users to fake websites. It works by digitally signing DNS records so resolvers can verify responses are genuine — without encrypting the content of DNS queries themselves.
Why DNS needs security extensions
The standard Domain Name System was designed in the 1980s without security in mind. When you type a domain into your browser, your computer asks a series of DNS resolvers "what IP address serves this domain?" Each resolver caches the answer for future speed — but without any way to verify the response came from the legitimate source.
This creates the DNS cache poisoning attack: a malicious actor injects a fake DNS answer into a resolver's cache. Every user that resolver serves then gets directed to the attacker's server instead of the real one. Kaminsky's 2008 discovery proved this attack was practical at scale, accelerating DNSSEC deployment.
DNSSEC does not encrypt DNS queries or responses — that's the job of DNS over HTTPS (DoH) or DNS over TLS (DoT). Instead, DNSSEC signs the DNS data itself so any resolver can verify authenticity without trusting the network path.
How DNSSEC signing works: the chain of trust
DNSSEC creates a hierarchical chain of trust that starts at the DNS root zone and extends down to every signed domain.
Zone Signing Key (ZSK): Each DNS zone generates a ZSK to sign individual DNS records. The ZSK is used frequently and is rotated regularly (typically monthly or quarterly).
Key Signing Key (KSK): A separate, longer-lived KSK signs only the ZSK. Because the KSK changes less often, it can be protected with stricter access controls — for TLD operators, this typically means an HSM (Hardware Security Module).
Delegation Signer (DS) record: The parent zone publishes a hash of the child zone's KSK as a DS record. This is how trust chains across zone boundaries — the parent's signature on the DS record vouches for the child's KSK.
RRSIG records: Every signed DNS record set is accompanied by an RRSIG (Resource Record SIGnature) that resolvers use to verify authenticity.
When a DNSSEC-validating resolver asks for a record, it follows the chain of signatures from the root through each DNS zone until it reaches the answer, verifying each signature along the way. If anything doesn't match, the resolver returns a SERVFAIL rather than an unauthenticated answer.
DNSSEC requirements for TLD operators
ICANN mandates DNSSEC signing for all new gTLD registries. Before delegation, applicants must demonstrate DNSSEC capability as part of the RSP (Registry Service Provider) technical evaluation.
For TLD operators, DNSSEC management involves:
ADG manages this entire lifecycle for TLD operators: key ceremonies, HSM custody, automated signing, signature refresh, and emergency key rollover — all included in our RSP service.
DNSSEC vs DNS-over-HTTPS: what's the difference?
These two technologies solve different problems and are complementary:
| DNSSEC | DNS-over-HTTPS (DoH) | |
|---|---|---|
| **What it protects** | DNS record authenticity | DNS query privacy |
| **Where it acts** | DNS data (server side) | DNS transport (client side) |
| **Prevents** | Spoofing, cache poisoning | Eavesdropping, MITM on queries |
| **Encrypts queries?** | No | Yes |
| **Required by ICANN?** | Yes (TLDs) | No |
A TLD can have DNSSEC enabled and DNS-over-HTTPS disabled (or vice versa). For maximum security, both are recommended.
Frequently Asked Questions
Is DNSSEC required for all domains or just TLDs?
ICANN requires DNSSEC signing at the TLD (registry) level. Individual domain registrants can optionally enable DNSSEC for their second-level domains. For .com or .net domains, DNSSEC adoption at the registrant level is optional but recommended for high-security use cases.
What happens if DNSSEC signatures expire?
If RRSIG records expire without being renewed, DNSSEC-validating resolvers will return SERVFAIL errors for the zone — effectively making the domain unreachable for users with DNSSEC validation enabled. This is why 24/7 monitoring and automated signature refresh are critical for TLD operators.
Can DNSSEC be hacked or bypassed?
DNSSEC's cryptographic foundation (RSA or ECDSA signatures) is not practically breakable with current technology. The attack surface is operational: key compromise through insecure storage, misconfiguration, or deliberate disablement (downgrade attacks). This is why HSMs and key ceremony procedures exist.
How does DNSSEC interact with CDNs?
Most major CDNs are fully compatible with DNSSEC. The CDN's edge nodes serve as authoritative name servers, and DNSSEC signing happens at the zone level before records are distributed to edge nodes. ADG's managed Anycast network handles DNSSEC signing upstream of CDN integration.