Contents
4 sections · 7 min read
Chain of trust diagram showing DNSSEC signing from root to domain nameserver
Domain Security

DNSSEC Explained: What It Is, How It Works, and How to Check It

A
Domain 360 Team
·June 28, 2026·7 min read

DNS was designed in an era when the internet was a small academic network and the idea of anyone deliberately poisoning DNS records was not a significant concern. DNSSEC was developed decades later to add the security layer that was missing from the original design.

The Problem DNSSEC Solves

Classic DNS has no authentication. When your resolver asks a nameserver for the IP address of your bank and receives an answer, there is nothing in the protocol to verify that the answer is genuine. An attacker positioned between resolver and nameserver — or who has poisoned a resolver cache — can substitute their own response with a different IP address, and your browser will connect to an attacker server showing a convincing fake page of your bank.

This attack, DNS cache poisoning, was demonstrated practically by security researcher Dan Kaminsky in 2008 with a vulnerability affecting most DNS implementations. The immediate response was a partial fix. The proper long-term response was DNSSEC.

How DNSSEC Works: The Chain of Trust

DNSSEC builds a chain of trust from the DNS root downward to individual domain records.

The DNS root is signed by ICANN with a Root Key Signing Key — a cryptographic key whose public half is known to all DNSSEC-validating resolvers. Every TLD registry (Verisign for .com, etc.) has its zone signed by the root, and the public keys needed to verify TLD signatures are authenticated by the root.

Each domain's DNS zone can then be signed by the domain owner. The public key for verifying the zone is submitted to the TLD registry, creating a DS (Delegation Signer) record that connects the domain into the chain of trust.

When a resolver fetching a DNSSEC-signed record validates it, it walks up this chain: the record signature is valid, the key that signed it is authenticated by the TLD, the TLD is authenticated by the root, the root key is known. The chain holds. The record is genuine.

If an attacker tries to substitute a fake DNS record, they cannot create a valid signature — they do not have the private key. The signature is invalid, the resolver detects this, and refuses to use the forged record.

Enabling DNSSEC

DNSSEC configuration happens at two levels: the DNS provider and the registrar.

At your DNS provider: Enable DNSSEC signing in your DNS dashboard. Cloudflare, Namecheap, and most modern DNS providers offer this in their interface. The provider generates the key pair and signs the zone.

At your registrar: After enabling DNSSEC at your DNS provider, they will provide DS record values. You submit these to your registrar, who adds them to the TLD zone, completing the chain of trust.

Both steps are required. Enabling signing at the DNS provider without the DS record at the registrar means the chain is broken — resolvers cannot verify up to the TLD and may treat the zone as unsigned or raise validation errors.

Cloudflare simplification: If your domain is both registered at Cloudflare Registrar and uses Cloudflare DNS, enabling DNSSEC is a single toggle — Cloudflare handles both sides of the chain automatically.

DNSSEC and Domain Management

DNSSEC depends on DNS records being valid, which in turn depends on the domain being registered and nameservers being correct. One common failure mode: a domain is transferred to a different DNS provider, DNSSEC keys change, but the DS records at the registrar are not updated. The result is a DNSSEC validation failure — resolvers performing strict validation refuse to resolve the domain, and the site becomes unreachable for those users.

The remedy: disable DNSSEC before changing DNS providers, complete the provider migration, then re-enable DNSSEC with the new provider keys. Never leave stale DS records pointing to old keys.

Underlying all DNSSEC security is the same requirement as all domain security: the domain must stay registered. An expired domain has no DNSSEC, no DNS, no website, no email. Reliable expiry tracking through a domain management dashboard is foundational.

Never lose a domain again

Track every domain you own in one dashboard. Free for up to 15 domains.