DNSSEC for Beginners: Signing Your Zone for Integrity
Learn what DNSSEC is, how it protects DNS integrity, what DS records do, and how to avoid common DNSSEC configuration problems.
Introduction
DNSSEC is a security extension for DNS that helps prove DNS answers have not been changed in transit. It uses cryptographic signatures so resolvers can verify that DNS records come from the authoritative zone and were not tampered with.
DNSSEC can improve DNS integrity, but it must be configured carefully. A broken DNSSEC setup can make a domain fail to resolve for users whose resolvers validate DNSSEC. This is why DNSSEC should be enabled, moved or disabled with caution, especially during nameserver or DNS provider changes.
Quick answer
DNSSEC signs DNS records so validating resolvers can confirm that DNS answers are authentic and unchanged. It protects DNS integrity, but it does not encrypt DNS traffic and does not replace SSL, SPF, DKIM, DMARC or website security. If DNSSEC records are mismatched, the domain may fail DNS validation.
What is DNSSEC?
DNSSEC stands for Domain Name System Security Extensions. It adds digital signatures to DNS records so resolvers can verify that the response came from the correct authoritative zone.
Without DNSSEC, a resolver can ask DNS where a domain points, but it cannot cryptographically verify the answer. With DNSSEC, the response can be checked against a chain of trust.
What DNSSEC protects
DNSSEC helps protect
- DNS record integrity
- forged DNS answers
- some DNS spoofing/tampering scenarios
- trust between parent zone and domain zone
Signed A record → resolver verifies signature
DNSSEC does not protect
- website content
- SSL certificate validity
- email deliverability
- server malware, phishing pages
- DNS privacy or encryption
HTTPS still required for encrypted web traffic
DNSSEC protects the integrity of DNS answers. HTTPS protects website traffic. They solve different problems.
DNSSEC records explained
DNSKEY
Public key used to verify DNSSEC signatures in the zone.
RRSIG
Digital signature attached to DNS record sets.
DS
Delegation Signer record stored at the parent zone/registrar. It connects the parent zone to your domain’s DNSSEC keys.
NSEC/NSEC3
Records used to prove that a DNS name or record does not exist.
Most users do not manually edit all of these. DNS providers usually generate DNSSEC records, while the domain owner may need to publish or update DS records at the registrar.
Why this matters
DNSSEC matters because it can add integrity protection to DNS. But DNSSEC also introduces a strict validation chain. If the DNS provider signs the zone but the DS record at the registrar is missing, outdated or incorrect, validating resolvers may reject the domain’s DNS answers.
This is especially important when changing nameservers or moving DNS providers.
How to check DNSSEC
Use DNS Lookup to check whether DNSSEC-related records are present and whether the domain appears to have a valid DNSSEC chain.
When checking DNSSEC, review
These five areas help spot broken validation before users are affected.
DS record
Is there a DS record at the parent zone/registrar?
DNSKEY records
Does the authoritative zone publish DNSKEY records?
Validation status
Do validating resolvers accept the signed zone?
Nameservers
Are you checking the DNS provider that currently controls the domain?
Recent DNS migration
Was DNSSEC changed during a nameserver move?
dig example.com DS
dig example.com DNSKEY
dig example.com NS
dig +dnssec example.com A
These examples are for checking only. Do not manually create DNSSEC records unless you understand your DNS provider’s DNSSEC setup.
Check DNSSEC now
Use DNS Lookup to inspect DNSSEC-related records and nameserver configuration.
Common DNSSEC problems
DS record does not match DNS provider
HighThe registrar has a DS record that does not match the DNSSEC keys used by the active DNS provider.
Next step: Update or remove the DS record according to your current DNS provider’s DNSSEC settings.
DNSSEC left enabled after nameserver change
HighThe domain was moved to new nameservers, but the old DS record still points to the previous DNSSEC setup.
Next step: Fix DS records at the registrar or temporarily disable DNSSEC until the new setup is correct.
DNSSEC enabled at DNS provider but DS missing
MediumThe zone may be signed, but the parent zone does not have the DS record needed to complete the chain of trust.
Next step: Add the DS record at the registrar if you intend to enable DNSSEC.
Domain fails only for some users
HighUsers with DNSSEC-validating resolvers may fail to resolve the domain while others still can.
Next step: Check DNSSEC validation and DS/DNSKEY consistency.
DNS provider does not support DNSSEC
MediumSome DNS providers may not support DNSSEC or may not support it for your setup.
Next step: Use provider-supported DNSSEC settings or choose a DNS provider that supports DNSSEC.
DNSSEC disabled without removing DS
HighIf DNSSEC is disabled at the DNS provider but DS records remain at the registrar, validation can fail.
Next step: Remove DS records at the registrar when disabling DNSSEC.
How to manage DNSSEC safely
-
Confirm who controls DNS
Check the active nameservers and confirm which DNS provider controls the live zone.
-
Check current DNSSEC status
Review whether the zone is signed and whether DS records exist at the registrar.
-
Do not change nameservers blindly
Before changing nameservers, check whether DNSSEC is enabled. Moving DNS without updating DS records can break validation.
-
Use provider-generated values
If enabling DNSSEC, use the DS record values generated by your DNS provider. Do not guess key tags, algorithms or digests.
-
Remove DS records when disabling DNSSEC
If you disable DNSSEC at the DNS provider, remove the related DS records at the registrar if the provider instructs you to do so.
-
Verify after changes
After enabling, disabling or moving DNSSEC, check DNS resolution from validating resolvers and confirm the domain still resolves correctly.
DNSSEC and nameserver changes
Nameserver changes are one of the most common moments when DNSSEC problems happen.
Before changing nameservers:
- check whether DNSSEC is enabled
- confirm whether DS records exist at the registrar
- confirm whether the new DNS provider supports DNSSEC
- update DS records if enabling DNSSEC at the new provider
- remove old DS records if DNSSEC is not active at the new provider
If unsure, ask the DNS provider or registrar before changing nameservers on a DNSSEC-enabled domain.
Frequently asked questions
Is DNSSEC required?
No. DNSSEC is optional for many domains, but it can improve DNS integrity when configured correctly.
Does DNSSEC encrypt DNS traffic?
No. DNSSEC validates DNS answers, but it does not encrypt DNS queries or responses.
Can DNSSEC break my domain?
Yes. A mismatched DS record, wrong DNSKEY or incomplete migration can make DNS validation fail.
Is DNSSEC the same as SSL?
No. DNSSEC protects DNS integrity. SSL/TLS protects website traffic and identity at the HTTPS layer.
Should I enable DNSSEC?
Enable it if your DNS provider supports it and you can manage DS records correctly. Be careful during nameserver changes.
What should I check before moving DNS providers?
Check whether DNSSEC is enabled, whether DS records exist at the registrar, and whether the new provider supports DNSSEC.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all DNS & Domain guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!