DNSSEC, made simple
DNSSEC signs DNS records so resolvers can verify authenticity and integrity.
Why it matters
- Protects against cache‑poisoning and spoofed answers.
- Prevents unnoticed tampering between authoritative server and resolver.
How to enable
- Activate DNSSEC at your DNS provider for the zone.
- Publish DS at the registry (via registrar).
- Rotate keys safely; monitor signatures and expiry.
Common pitfalls
- Broken DS after domain transfer.
- Unsigned/new records because of stale zone signing.
- Clock skew or expired signatures causing resolution failures.