Glossary Guides

What Is DNSSEC

Learn what DNSSEC is, how DNS signing works, DS records, validation failures, and what DNSSEC does not protect.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 6 min read Beginner

Introduction

DNSSEC protects integrity of DNS answers — proving records were not altered in transit. It does not hide query contents (that would be DNS over HTTPS/TLS, a different feature).

Most beginners interact with DNSSEC when enabling it at a DNS host or troubleshooting DS record mismatches after migration.

Quick answer

Quick answer

DNSSEC adds cryptographic signatures to DNS data so resolvers can detect tampering. It does not encrypt DNS queries. DNSSEC requires signed zones at the DNS provider and DS records at the registrar. Broken DNSSEC can cause complete resolution failure for validating resolvers.

What it means

DNSSEC signs records in the zone (DNSKEY, RRSIG) and publishes a DS record at the registrar linking to the zone keys.

  • DNSKEY — public signing keys in the zone
  • RRSIG — signatures over DNS record sets
  • DS — delegation signer at registrar/parent zone
  • Validating resolvers reject broken DNSSEC chains
  • Does not replace SPF, DKIM or SSL

Where you see this:

  • Domains requiring DNS integrity validation
  • Some government and enterprise security policies
  • Registrar DNSSEC management after DNS provider migration
  • Troubleshooting SERVFAIL on validating resolvers only

Why this matters

Why this matters

Correct DNSSEC improves trust. Incorrect DNSSEC — especially stale DS records after nameserver changes — can make the domain unreachable for users on validating DNS.

How to check it

  1. Check whether DNSSEC is enabled at DNS provider and registrar.
  2. Compare DS records at registrar with DNS provider DNSSEC settings.
  3. Use dig +dnssec example.com A for signed responses.
  4. Test with validating resolver if domain fails for some users only.
  5. Remove or update DS when migrating away from signed DNS.

Check DNSSEC status

Use DNS Lookup and domain health tools to see whether DNSSEC validation is involved.

Run DNS Lookup →

Common mistakes

DS record left after DNS provider change

High

Registrar still points to old DNSSEC keys; validation fails.

Next step: Remove DS or publish matching DS from new provider.

DNSSEC enabled but zone not signed

High

Incomplete DNSSEC setup breaks validation.

Next step: Complete signing at DNS provider or disable DNSSEC fully.

Assuming DNSSEC fixes all DNS issues

Low

Wrong A or MX records can be validly signed but still incorrect.

Next step: Fix record values separately from DNSSEC setup.

Broken chain causes total resolution failure

High

Validating resolvers return SERVFAIL for the domain.

Next step: Fix DS/DNSKEY mismatch urgently or remove DS temporarily.

Example

DNSSEC chain (simplified)
Registrar DS    points to DNSKEY in zone
Zone records     signed with RRSIG
Resolver         validates signature or rejects

Frequently asked questions

Does DNSSEC encrypt DNS?

No. DNSSEC signs data for integrity. It does not encrypt query privacy.

Do I need DNSSEC?

Optional for most sites. Required by some security policies. Enable only if you can maintain DS records correctly.

What is a DS record?

A record at the registrar that links the parent zone to the child zone DNSSEC keys.

Why does my domain fail only for some users with DNSSEC issues?

Some resolvers validate DNSSEC strictly; others do not, causing split behavior.

Use these free tools to verify your configuration after applying changes.

Browse all Glossary guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.