What Is DNSSEC
Learn what DNSSEC is, how DNS signing works, DS records, validation failures, and what DNSSEC does not protect.
Introduction
DNSSEC protects integrity of DNS answers — proving records were not altered in transit. It does not hide query contents (that would be DNS over HTTPS/TLS, a different feature).
Most beginners interact with DNSSEC when enabling it at a DNS host or troubleshooting DS record mismatches after migration.
Quick answer
DNSSEC adds cryptographic signatures to DNS data so resolvers can detect tampering. It does not encrypt DNS queries. DNSSEC requires signed zones at the DNS provider and DS records at the registrar. Broken DNSSEC can cause complete resolution failure for validating resolvers.
What it means
DNSSEC signs records in the zone (DNSKEY, RRSIG) and publishes a DS record at the registrar linking to the zone keys.
- DNSKEY — public signing keys in the zone
- RRSIG — signatures over DNS record sets
- DS — delegation signer at registrar/parent zone
- Validating resolvers reject broken DNSSEC chains
- Does not replace SPF, DKIM or SSL
Where you see this:
- Domains requiring DNS integrity validation
- Some government and enterprise security policies
- Registrar DNSSEC management after DNS provider migration
- Troubleshooting SERVFAIL on validating resolvers only
Why this matters
Correct DNSSEC improves trust. Incorrect DNSSEC — especially stale DS records after nameserver changes — can make the domain unreachable for users on validating DNS.
How to check it
- Check whether DNSSEC is enabled at DNS provider and registrar.
- Compare DS records at registrar with DNS provider DNSSEC settings.
- Use dig +dnssec example.com A for signed responses.
- Test with validating resolver if domain fails for some users only.
- Remove or update DS when migrating away from signed DNS.
Check DNSSEC status
Use DNS Lookup and domain health tools to see whether DNSSEC validation is involved.
Common mistakes
DS record left after DNS provider change
HighRegistrar still points to old DNSSEC keys; validation fails.
Next step: Remove DS or publish matching DS from new provider.
DNSSEC enabled but zone not signed
HighIncomplete DNSSEC setup breaks validation.
Next step: Complete signing at DNS provider or disable DNSSEC fully.
Assuming DNSSEC fixes all DNS issues
LowWrong A or MX records can be validly signed but still incorrect.
Next step: Fix record values separately from DNSSEC setup.
Broken chain causes total resolution failure
HighValidating resolvers return SERVFAIL for the domain.
Next step: Fix DS/DNSKEY mismatch urgently or remove DS temporarily.
Example
Registrar DS → points to DNSKEY in zone
Zone records → signed with RRSIG
Resolver → validates signature or rejects
Frequently asked questions
Does DNSSEC encrypt DNS?
No. DNSSEC signs data for integrity. It does not encrypt query privacy.
Do I need DNSSEC?
Optional for most sites. Required by some security policies. Enable only if you can maintain DS records correctly.
What is a DS record?
A record at the registrar that links the parent zone to the child zone DNSSEC keys.
Why does my domain fail only for some users with DNSSEC issues?
Some resolvers validate DNSSEC strictly; others do not, causing split behavior.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Glossary guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!