DNS
DNSSEC: cryptographic signing for your DNS, explained plainly.
Published 2026-06-05 · Last updated 2026-06-05 · Vantyris editorial
DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to your DNS records so resolvers can verify the answer they got actually came from your domain's authoritative servers, not an attacker. It's the most rigorous defence against DNS cache poisoning and man-in-the-middle attacks on DNS lookups. It's also the most operationally fragile DNS feature in common deployment: a misconfigured DNSSEC rollout will take your entire domain offline in ways your monitoring won't catch until customers complain. For most SMEs the question isn't 'can I turn it on' but 'is the upside worth the operational cost'.
What this means for your business
- Without DNSSEC, when a resolver looks up `yourdomain.com`, it trusts whatever the upstream DNS infrastructure returns. An attacker who can poison a resolver's cache (e.g., via the Kaminsky bug class, or by sitting on the network path) can substitute their own IP for yours, and the resolver has no way to detect it.
- DNSSEC signs each DNS record with a cryptographic signature stored alongside it. Resolvers verify the signature chains back to your TLD's root key. If the signature doesn't validate, the resolver returns a hard failure (NXDOMAIN or SERVFAIL) rather than the unsigned answer.
- Once DNSSEC is on, your domain's continued operation depends on you correctly rotating signing keys, maintaining the DS record at your registrar matches your DNSKEY at your authoritative server, and not having any tooling that breaks signatures (some legacy CMS plugins inject DNS records that don't get signed and break validation).
How to fix
Enable DNSSEC at your DNS provider (Cloudflare, Route53, DNSimple all have one-toggle support). Then publish the DS record they generate at your domain registrar so the chain of trust completes.
- Check whether your DNS provider supports DNSSEC and your registrar accepts the DS record. Cloudflare: yes (free tier). Route53: yes. DNSimple: yes. Many cheap registrar-bundled DNS panels: no. If both don't support it, you'll need to move DNS to a provider that does. This is the most common blocker.
- Enable DNSSEC signing at your DNS provider. Cloudflare: DNS → Settings → DNSSEC → Enable. It generates the keys and signs your zone automatically. Route53: DNSSEC signing tab on the hosted zone. Wait 1-2 hours for the signed zone to propagate.
- Get the DS record from your DNS provider. After signing is active, the DNS provider shows you a DS record (Delegation Signer) to publish at your registrar. Copy the four values: key tag, algorithm, digest type, digest.
- Publish the DS record at your domain registrar. At your registrar's domain control panel (Hover, Namecheap, Gandi, etc.), find the DNSSEC section. Enter the four values. Save. The registrar pushes the DS record up to the TLD operator (.com / .co.uk / etc.).
- Verify the chain of trust. Use dnsviz.net or verisignlabs.com/dnssec-debugger to check that the chain validates end-to-end. Wait 24-48 hours for global propagation. If you see broken-chain errors, fix the DS values; if you see SERVFAIL, your zone signing is broken — disable DNSSEC immediately while you debug.
Owner: Your DNS administrator. Coordination with your registrar. · Time: 30 minutes for the toggle + 24-48 hours for global propagation.
Common gotchas
- DNSSEC rollouts that go wrong cause hard failures, not soft ones. Your customers see 'this site can't be reached' rather than degraded performance. Plan for a Friday-afternoon rollout NOT, do it Monday morning when you're watching.
- Key rotation is the killer for SMEs. If you forget to rotate before the key expires, your domain disappears from the internet. Most modern DNS providers automate this; verify yours does.
- If you move DNS providers later, DNSSEC adds a multi-step coordination dance (publish new keys, update DS, wait, retire old keys) that's easy to get wrong.
- For most SMEs the threat model DNSSEC defends against (network-position DNS poisoning) is much less common than the threat models that DMARC + HSTS + MFA defend against. Get those right first.
How to verify the fix
Run a Vantyris scan; the Domain & DNS category checks DNSSEC validation state. Or use dnsviz.net for a visual chain-of-trust diagram.
Cyber Essentials alignment
This finding informs the following UK NCSC Cyber Essentials control areas:
- A2. Secure configuration — devices and services hardened against the inherent default vulnerabilities.
Vantyris is not a CE certifying body. The mapping above is informational.
Common follow-up questions
Should I enable DNSSEC if I'm a clinic, accountant, or agency?
Probably not yet. The benefit is real but the operational risk is high for a non-technical owner. Get DMARC enforcing, HSTS preloaded, and TLS 1.3 enabled first; come back to DNSSEC when your DNS provider supports automatic key rotation and you have someone monitoring.
Does DNSSEC require my visitors to use special DNS servers?
No. Most major resolvers (Google's 8.8.8.8, Cloudflare's 1.1.1.1, OpenDNS) validate DNSSEC by default. Your visitors don't need to do anything.
Will my email break if I enable DNSSEC?
Only if your DNSSEC setup itself breaks. With a working setup, MX lookups validate and mail flows normally. With a broken setup, MX lookups SERVFAIL and inbound email stops. Same fragility-vs-protection tradeoff as web traffic.
How does DNSSEC interact with CAA records?
CAA records get signed by DNSSEC like any other record. CAs verifying CAA on certificate issuance will validate the DNSSEC chain too. Strong combination: DNSSEC + CAA + DANE is the highest level of DNS-layer email + certificate protection.
References
- NCSC: DNSSEC NCSC
- RFC 4033 — DNSSEC introduction IETF RFC
- DNSViz: chain-of-trust visualiser Vendor
Related explainers
- CAA records: the DNS entry that decides who can issue your TLS certificates.
- What is DMARC, and why every business with a domain needs one.
Want Vantyris to scan your domain for this and 80 other findings?
Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.
Vantyris editorial team · methodology v1.0.0