DNSSEC, made simple

DNSSEC, made simple

DNSSEC signs DNS records so resolvers can verify authenticity and integrity.

Why it matters

• Protects against cache-poisoning and spoofed answers.
• Prevents unnoticed tampering between authoritative server and resolver.

How to enable

• Activate DNSSEC at your DNS provider for the zone.
• Publish DS at the registry (via registrar).
• Rotate keys safely; monitor signatures and expiry.

Common pitfalls

• Broken DS after domain transfer.
• Unsigned/new records because of stale zone signing.
• Clock skew or expired signatures causing resolution failures.

TL;DR

DNSSEC adds digital signatures to DNS records to prevent spoofing. Sign your zone, publish the DS at your registrar, and enable validation on resolvers.

5‑minute checklist

• Create KSK/ZSK keys with a modern algorithm (e.g., ECDSA).
• Sign the zone and publish the DS record at the registry.
• Enable NSEC3 with opt-out as needed to prevent zone walking.
• Plan automated rollovers and monitor signature expiration.
• Test with dig +dnssec and an external analyzer.

Further reading

• ICANN: DNSSEC Q&A
• Verisign DNSSEC Analyzer