What Is DNSSEC (DNS Security Extensions)?

Q: Does DNSSEC encrypt DNS queries?

No. DNSSEC does not encrypt DNS data. It only signs DNS responses so that resolvers can verify the data has not been tampered with. For DNS encryption, you need DNS over HTTPS (DoH) or DNS over TLS (DoT).

Q: What is a chain of trust in DNSSEC?

DNSSEC creates a chain of trust from the DNS root zone down to individual domain records. Each level signs the keys for the level below it using DS (Delegation Signer) records. A resolver can validate a response by following this chain from the root trust anchor to the queried record.

Q: What happens if DNSSEC validation fails?

If a DNSSEC-validating resolver cannot verify the signatures on a DNS response, it returns a SERVFAIL error to the client instead of the unverified data. This prevents the use of potentially tampered DNS records but can cause resolution failures if DNSSEC is misconfigured.

DNSSEC is a set of extensions to DNS that adds cryptographic signatures to DNS responses. It allows resolvers to verify that DNS data has not been tampered with in transit, protecting against cache poisoning and man-in-the-middle attacks.

How DNSSEC Works

DNSSEC works by digitally signing DNS records at each level of the DNS hierarchy. When a domain has DNSSEC enabled, the authoritative nameserver publishes RRSIG (signature) records alongside normal DNS records. It also publishes DNSKEY records containing the public keys used for signing.

A DS (Delegation Signer) record in the parent zone links to the child zone's key, creating a chain of trust from the DNS root all the way down to your domain's records. Validating resolvers follow this chain to verify authenticity.

Why DNSSEC Matters

Without DNSSEC, DNS responses can be spoofed. An attacker performing a cache poisoning attack can redirect users to malicious servers. This is especially dangerous for email: spoofed MX records can redirect mail to an attacker's server. DNSSEC ensures the DNS records you receive are authentic and unmodified.

DNSSEC Record Types

RRSIG contains the digital signature for a DNS record set. DNSKEY holds the public signing key. DS links a parent zone to a child zone's key. NSEC/NSEC3 provides authenticated denial of existence — proving a record does not exist without revealing all zone contents.

Frequently Asked Questions

Does DNSSEC encrypt DNS queries?

No. DNSSEC only signs responses to prove authenticity — it does not encrypt them. DNS queries and responses remain visible to anyone on the network. For encryption, use DNS over HTTPS (DoH) or DNS over TLS (DoT).

What is a chain of trust in DNSSEC?

The chain of trust starts at the DNS root zone and extends down through each level (TLD, then domain). Each parent zone signs the DS record pointing to the child zone's key. A resolver follows this chain to validate that each level is properly signed.

What happens if DNSSEC validation fails?

A DNSSEC-validating resolver returns a SERVFAIL error instead of serving unverified data. This prevents tampered records from being used but can cause resolution failures if DNSSEC is misconfigured on the domain.

How DNSSEC Works

Why DNSSEC Matters

Frequently Asked Questions

Does DNSSEC encrypt DNS queries?

What is a chain of trust in DNSSEC?

What happens if DNSSEC validation fails?