DNSSEC Explained: Security for Domains

The domain name system (DNS) is one of those technologies that no one really thinks about—unless it breaks. If you don’t have to think about it, that means your DNS is working like it’s supposed to. But there’s actually a lot more to it than that. Not only does DNS face technical challenges, but it is also vulnerable to certain types of cyber threats.  The focus of this blog is DNSSEC and how it can help secure the DNS lookup process.

What is DNSSEC?

Domain name security extension (DNSSEC) is a set of protocols created by the Internet Engineering Task Force (IEFT). Its purpose is to provide an additional layer of security during the DNS lookup process. When using DNS, queries and their responses are authenticated before an end user is sent to their destination.

How Does DNSSEC Work?

The way DNSSEC authentication works is by means of cryptographic digital signatures. These signatures are stored on authoritative nameservers, alongside a domain’s other DNS records. Each DNS zone has a pair of public and private keys that enables validation: a zone-signing key (ZSK) and a key-signing key (KSK) pair. 

how does DNSSEC work

Zone-signing Key (ZSK)

The private key in a ZSK key pair is responsible for creating RRSIG records and the RRSIG signs the RRSET records in a zone. Its public key, which is stored within a DNSKEY record, is what verifies the signature. . Any time a DNSSEC resolver queries a DNS record, the responding nameserver returns the RRSIG for that record set. Once the RRSIG is received, the resolver can retrieve the DNSKEY record to authenticate the query.

Key-signing Key (KSK)

A KSK is what makes sure the ZSK is valid and hasn’t been tampered with, and its private key is what signs both ZSK and KSK public keys. 

DNS Records Used For DNSSEC

In order for DNSSEC to work properly, you’ll need to create the necessary records, which will work alongside the rest of your domain records.

RRSIG Record (RRSet Signature)

Record Resource (RR) sets are needed to secure a DNS zone. This is done by grouping records by type and name and making them into an RRset. Rather than validating each individual record, it’s the RRset that is signed. An RRSIG record is what stores the digital signature of an RRset for a domain using DNSSEC.

DS Record

A DS record instructs nameservers as to which key is next in the chain of trust, and is what authenticates the relationship between a parent and child zone. This record includes a hash of the child zone’s DNSKEY. The hash is used to verify the public KSK. If the DS record from the parent zone matches up with the public KSK of the child zone, resolvers know they can also trust the rest of the child zone’s records.  


There are usually two DNSKEY records, one which holds the public key for the ZSK and one for the public KSK key. This record is how resolvers are able to verify a signature’s legitimacy.  

How Can DNSSEC Help Secure My Domain?

One of the biggest advantages of using DNSSEC is that it helps protect your business and your customers by securing DNS lookups. Because DNS was designed with scalability in mind rather than security, it is vulnerable to certain types of attacks. The most notable threats are spoofing attacks, DNS or cache poisoning, man-in-the-middle, and hijacking attacks. 

Of course, DNSSEC alone isn’t always enough to thwart cybercriminals. Services like DNS failover and real-time anomaly detection are vital to keeping your domain safe from distributed denial-of-service (DDoS) and similar attacks, —and they pair nicely with DNSSEC. 

Tip: To learn more about how to protect your domain from common DDoS attacks, visit our blog Overwatch for DNS..

Who Needs DNSSEC?

Any business can benefit from DNSSEC, but it is especially beneficial for organizations that handle sensitive user information (both internally and externally). 

While DNSSEC is an excellent security measure for DNS, it does have its caveats. For starters, it can create a compatibility nightmare. It’s also not supported by all registrars. Furthermore, it can be difficult to configure and implement correctly, and typically comes with additional costs. 

Despite the drawbacks, DNSSEC is still a worthy addition to your domain’s security arsenal. And luckily, our DNS experts are here to help you configure DNSSEC for your domain to ensure a seamless process, whether it’s via phone, support ticket, or live video chat.

It’s All About Trust

Just like any good relationship, DNSSEC relies on trust—more specifically, a chain of trust. And that is what the cryptographic signatures and keys are for. By having keys that authenticate each other, one public and one private, DNSSEC allows you to secure the DNS lookup process and provide a higher level of security for your domain. 

Related Resources:

SSL/TLS Certificate: What is it and Why You Need One

Disaster Recovery for DNS

Our latest news

Stay up to date on the latest DNS Made Easy resources and news

Want a Proof of Concept?

Start Free Trial