DNS & Domain Guides

DNSSEC for Beginners: Signing Your Zone for Integrity

Learn what DNSSEC is, how it protects DNS integrity, what DS records do, and how to avoid common DNSSEC configuration problems.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 7 min read Advanced

Introduction

DNSSEC is a security extension for DNS that helps prove DNS answers have not been changed in transit. It uses cryptographic signatures so resolvers can verify that DNS records come from the authoritative zone and were not tampered with.

DNSSEC can improve DNS integrity, but it must be configured carefully. A broken DNSSEC setup can make a domain fail to resolve for users whose resolvers validate DNSSEC. This is why DNSSEC should be enabled, moved or disabled with caution, especially during nameserver or DNS provider changes.

Quick answer

Quick answer

DNSSEC signs DNS records so validating resolvers can confirm that DNS answers are authentic and unchanged. It protects DNS integrity, but it does not encrypt DNS traffic and does not replace SSL, SPF, DKIM, DMARC or website security. If DNSSEC records are mismatched, the domain may fail DNS validation.

What is DNSSEC?

DNSSEC stands for Domain Name System Security Extensions. It adds digital signatures to DNS records so resolvers can verify that the response came from the correct authoritative zone.

Without DNSSEC, a resolver can ask DNS where a domain points, but it cannot cryptographically verify the answer. With DNSSEC, the response can be checked against a chain of trust.

What DNSSEC protects

DNSSEC helps protect

  • DNS record integrity
  • forged DNS answers
  • some DNS spoofing/tampering scenarios
  • trust between parent zone and domain zone

Signed A record → resolver verifies signature

DNSSEC does not protect

  • website content
  • SSL certificate validity
  • email deliverability
  • server malware, phishing pages
  • DNS privacy or encryption

HTTPS still required for encrypted web traffic

DNSSEC protects the integrity of DNS answers. HTTPS protects website traffic. They solve different problems.

DNSSEC records explained

DNSKEY

Public key used to verify DNSSEC signatures in the zone.

RRSIG

Digital signature attached to DNS record sets.

DS

Delegation Signer record stored at the parent zone/registrar. It connects the parent zone to your domain’s DNSSEC keys.

NSEC/NSEC3

Records used to prove that a DNS name or record does not exist.

Most users do not manually edit all of these. DNS providers usually generate DNSSEC records, while the domain owner may need to publish or update DS records at the registrar.

Why this matters

Why this matters

DNSSEC matters because it can add integrity protection to DNS. But DNSSEC also introduces a strict validation chain. If the DNS provider signs the zone but the DS record at the registrar is missing, outdated or incorrect, validating resolvers may reject the domain’s DNS answers.

This is especially important when changing nameservers or moving DNS providers.

How to check DNSSEC

Use DNS Lookup to check whether DNSSEC-related records are present and whether the domain appears to have a valid DNSSEC chain.

When checking DNSSEC, review

These five areas help spot broken validation before users are affected.

DS record

Is there a DS record at the parent zone/registrar?

DNSKEY records

Does the authoritative zone publish DNSKEY records?

Validation status

Do validating resolvers accept the signed zone?

Nameservers

Are you checking the DNS provider that currently controls the domain?

Recent DNS migration

Was DNSSEC changed during a nameserver move?

Check commands
dig example.com DS
dig example.com DNSKEY
dig example.com NS
dig +dnssec example.com A

These examples are for checking only. Do not manually create DNSSEC records unless you understand your DNS provider’s DNSSEC setup.

Check DNSSEC now

Use DNS Lookup to inspect DNSSEC-related records and nameserver configuration.

Run DNS Lookup →

Common DNSSEC problems

DS record does not match DNS provider

High

The registrar has a DS record that does not match the DNSSEC keys used by the active DNS provider.

Next step: Update or remove the DS record according to your current DNS provider’s DNSSEC settings.

DNSSEC left enabled after nameserver change

High

The domain was moved to new nameservers, but the old DS record still points to the previous DNSSEC setup.

Next step: Fix DS records at the registrar or temporarily disable DNSSEC until the new setup is correct.

DNSSEC enabled at DNS provider but DS missing

Medium

The zone may be signed, but the parent zone does not have the DS record needed to complete the chain of trust.

Next step: Add the DS record at the registrar if you intend to enable DNSSEC.

Domain fails only for some users

High

Users with DNSSEC-validating resolvers may fail to resolve the domain while others still can.

Next step: Check DNSSEC validation and DS/DNSKEY consistency.

DNS provider does not support DNSSEC

Medium

Some DNS providers may not support DNSSEC or may not support it for your setup.

Next step: Use provider-supported DNSSEC settings or choose a DNS provider that supports DNSSEC.

DNSSEC disabled without removing DS

High

If DNSSEC is disabled at the DNS provider but DS records remain at the registrar, validation can fail.

Next step: Remove DS records at the registrar when disabling DNSSEC.

How to manage DNSSEC safely

  1. Confirm who controls DNS

    Check the active nameservers and confirm which DNS provider controls the live zone.

  2. Check current DNSSEC status

    Review whether the zone is signed and whether DS records exist at the registrar.

  3. Do not change nameservers blindly

    Before changing nameservers, check whether DNSSEC is enabled. Moving DNS without updating DS records can break validation.

  4. Use provider-generated values

    If enabling DNSSEC, use the DS record values generated by your DNS provider. Do not guess key tags, algorithms or digests.

  5. Remove DS records when disabling DNSSEC

    If you disable DNSSEC at the DNS provider, remove the related DS records at the registrar if the provider instructs you to do so.

  6. Verify after changes

    After enabling, disabling or moving DNSSEC, check DNS resolution from validating resolvers and confirm the domain still resolves correctly.

DNSSEC and nameserver changes

Nameserver changes are one of the most common moments when DNSSEC problems happen.

Before changing nameservers:

  • check whether DNSSEC is enabled
  • confirm whether DS records exist at the registrar
  • confirm whether the new DNS provider supports DNSSEC
  • update DS records if enabling DNSSEC at the new provider
  • remove old DS records if DNSSEC is not active at the new provider

If unsure, ask the DNS provider or registrar before changing nameservers on a DNSSEC-enabled domain.

Frequently asked questions

Is DNSSEC required?

No. DNSSEC is optional for many domains, but it can improve DNS integrity when configured correctly.

Does DNSSEC encrypt DNS traffic?

No. DNSSEC validates DNS answers, but it does not encrypt DNS queries or responses.

Can DNSSEC break my domain?

Yes. A mismatched DS record, wrong DNSKEY or incomplete migration can make DNS validation fail.

Is DNSSEC the same as SSL?

No. DNSSEC protects DNS integrity. SSL/TLS protects website traffic and identity at the HTTPS layer.

Should I enable DNSSEC?

Enable it if your DNS provider supports it and you can manage DS records correctly. Be careful during nameserver changes.

What should I check before moving DNS providers?

Check whether DNSSEC is enabled, whether DS records exist at the registrar, and whether the new provider supports DNSSEC.

Use these free tools to verify your configuration after applying changes.

Browse all DNS & Domain guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.