What is DNSSEC and how do I use it?
What is DNSSEC?
DNSSEC (Domain Name System Security Extensions) is a suite of protocols by the Internet Engineering Task Force (IETF), that adds a layer of security to the DNS by enabling authentication of DNS data.
This helps to protect against attacks like DNS spoofing or DNS cache poisoning.
How DNSSEC works:
Digital Signatures and Public Key Cryptography
DNSSEC uses public key cryptography to sign DNS records. Each DNS zone has a pair of cryptographic keys:
- A public key (published in DNS)
- A private key (used to sign DNS records)
These generate digital signatures that validate the authenticity of the DNS data.
Signed DNS Records
When a DNS zone is DNSSEC-enabled, records (like A, MX, etc.) are accompanied by RRSIG records containing the digital signature.
DNS resolvers also retrieve DNSKEY records, which contain the public key used to verify the signature.
Chain of Trust
DNSSEC builds a chain of trust from the root DNS zone down to individual domains:
- The root zone signs the Top-Level Domain (TLD) zone (like
.com). - The TLD signs the second-level domain (like
example.com). - This continues down to subdomains.
Each link in the chain is verified using a Delegation Signer (DS) record, stored at the parent zone.
Validation by Resolvers
When a DNSSEC-aware resolver queries a DNS record, it checks the digital signature using the public key.
If the signature is valid and there's a complete chain of trust, the data is considered authentic.
If validation fails, the resolver will reject the response to protect the user.
Note: DNSSEC does not encrypt DNS traffic; it only ensures that the response you get is authentic and unaltered.
Note: To enable DNSSEC, you must have the domain name you wish to enable it on held with us, the nameservers for the domain must point here, and we must host the website for the domain.
If you wish to enable DNSSEC for a domain, you must go to here > Options > Manage > DNSSEC Protection.
You can then enable DNSSEC using the toggle.
