How to Check and Enable DNSSEC for Your Domain

DNSSEC (DNS Security Extensions) adds a layer of cryptographic verification to DNS responses, preventing attackers from redirecting your traffic through cache poisoning or man-in-the-middle attacks. Without DNSSEC, a resolver has no way to verify that a DNS response actually came from the authoritative server. This guide explains how to check your current DNSSEC status and enable it properly.

Check your DNSSEC status now

Use our free DNSSEC Checker to verify whether your domain has DNSSEC enabled and whether the chain of trust is valid.

Step 1: Understand the DNSSEC Chain of Trust

DNSSEC works through a chain of trust that starts at the DNS root zone and extends down to your domain. Each level signs the keys for the level below it. The key components are:

DNSKEY records — Public keys published in your zone used to verify signatures.
DS records — Hashes of DNSKEY records published at the parent zone (your registrar).
RRSIG records — Cryptographic signatures attached to each DNS record set.
NSEC/NSEC3 records — Prove that a queried name does not exist (authenticated denial).

Step 2: Check Your Current DNSSEC Status

Query your domain for DNSKEY records using dig:

dig example.com DNSKEY +dnssec +short
dig example.com DS +short

If both queries return records, DNSSEC is enabled. If either is empty, the chain of trust is broken or DNSSEC has not been set up. Also check the SOA record to confirm your authoritative nameservers are correct.

Step 3: Enable DNSSEC at Your DNS Provider

Most managed DNS providers (Cloudflare, Route 53, Google Cloud DNS) offer one-click DNSSEC activation. When you enable it, the provider generates a key pair, signs your zone, and gives you a DS record to publish at your registrar. If you run your own authoritative server, you will need to generate keys and sign the zone manually using tools like dnssec-keygen and dnssec-signzone.

Step 4: Add the DS Record at Your Registrar

Copy the DS record from your DNS provider and add it to your domain registrar's DNSSEC settings. The DS record contains the key tag, algorithm number, digest type, and digest hash. This step completes the chain of trust by linking your zone's keys to the parent zone. After adding it, allow up to 48 hours for full propagation.

Step 5: Validate the Chain of Trust

After propagation, verify that the entire chain is working. Use the DNSSEC Checker to confirm that DS records match DNSKEY records, signatures are valid and not expired, and authenticated denial (NSEC/NSEC3) is functioning. Set a calendar reminder to monitor key expiration dates, especially if you manage keys manually.

Frequently Asked Questions

What happens if DNSSEC validation fails?

If DNSSEC validation fails, resolvers that enforce DNSSEC will return a SERVFAIL response and refuse to resolve the domain. This means the domain becomes unreachable for users behind validating resolvers, which includes most major public DNS services.

Does DNSSEC protect against all DNS attacks?

DNSSEC protects against cache poisoning and spoofing by verifying the authenticity of DNS responses. However, it does not encrypt DNS queries, so it does not prevent eavesdropping. For privacy, you need DNS over HTTPS or DNS over TLS in addition to DNSSEC.

Can DNSSEC cause my domain to go offline?

Yes, if misconfigured. Expired DNSSEC signatures, mismatched DS records at the registrar, or key rollovers done incorrectly will cause validating resolvers to reject your domain. Always test DNSSEC changes in a staging environment first.

Related Guides