To enable DNSSEC, turn on signing at your DNS host (or sign the zone with your own keys), copy the DS record fingerprints to your domain registrar, and verify with a DNSSEC validator. Mistakes can make your domain unreachable for validating resolvers — test carefully.
DNSSEC adds cryptographic signatures to DNS responses so resolvers can detect forged or tampered answers. It is an advanced hardening step separate from email authentication (SPF/DKIM/DMARC) but valuable for high-assurance domains.
Check your website
See how your site handles how to enable dnssec — free, no account needed.
Business impact
DNS hijacking and cache poisoning can redirect your customers to fake sites without touching your server. DNSSEC lets validating resolvers cryptographically verify that DNS answers are authentic — a strong signal for security-conscious enterprises and a defence-in-depth layer for brand protection.
Why this happens
DNSSEC works by signing DNS records in your zone with a Zone Signing Key (ZSK) and anchoring trust via a Key Signing Key (KSK) published as a DS record at your registrar. Validating resolvers follow the chain from root → TLD → your domain. If the DS record at the registrar does not match your DNS host's keys, the domain fails validation for DNSSEC-aware clients. Most managed DNS providers (Cloudflare, Route 53, Google Cloud DNS) offer one-click signing.
How to confirm the issue
Manually: use DNSViz or Verisign DNSSEC Analyzer on your domain. Unsigned zones show no authentication chain; broken DNSSEC shows validation errors.
With Plexa Trust: DNSSEC is a defence-in-depth control. After enabling, re-scan to see improved DNS security posture alongside your other findings.
Step-by-step fix
Confirm your DNS host supports DNSSEC (Cloudflare, Route 53, many registrars do).
Enable DNSSEC signing in the DNS provider panel — note the DS record values produced.
Log in to your domain registrar and add the DS records exactly as provided.
Wait for propagation; validate with DNSViz or an online DNSSEC checker.
Set calendar reminders for KSK rollover before key expiry (typically annual).
Monitor — broken DNSSEC is worse than no DNSSEC for validating resolvers.
Platform-specific fixes
Cloudflare
DNS → Settings → Enable DNSSEC.
Copy the DS record details shown (key tag, algorithm, digest type, digest).
Add DS records at your registrar (not Cloudflare if registrar is elsewhere).
Cloudflare handles signing and key rotation automatically.
AWS Route 53
Hosted zone → DNSSEC signing → Enable.
Create a KMS key for signing if prompted.
Add the DS record chain to your registrar using the values Route 53 provides.
GoDaddy / registrars with integrated DNS
Some registrars offer one-click DNSSEC when DNS is hosted with them.
Enable in domain settings → DNSSEC; they may auto-publish DS records.
If DNS is external, add DS only at registrar from your DNS host's output.
Self-hosted BIND
Generate ZSK and KSK with dnssec-keygen; sign the zone with dnssec-signzone.
Publish DS records at registrar from the KSK.
Automate re-signing before signatures expire (max TTL in zone).
How to verify the fix
Use your DNS provider's managed DNSSEC when available — manual key rollover is error-prone.
Validate with external tools before considering the rollout complete.
Document DS record values and key rollover dates.
Do not enable DNSSEC at both registrar DNS and external DNS without understanding the chain.
Common mistakes
Adding wrong DS records at the registrar — breaks validation globally.
Letting signatures expire without automated re-signing (self-hosted BIND).
Enabling DNSSEC then moving DNS hosts without updating DS records.
Assuming DNSSEC replaces HTTPS or email authentication — it does not.
Frequently asked questions
Is DNSSEC required?
No, but recommended for domains where DNS integrity is critical. Many sites operate without it; validating resolvers are a subset of all users.
Does DNSSEC encrypt DNS?
No. DNSSEC signs responses for authenticity; DNS-over-HTTPS/TLS encrypts transport. They solve different problems.
Can DNSSEC break my site?
Yes, if DS records are wrong or signatures expire. Validating resolvers will fail to resolve your domain.
Is DNSSEC the same as SPF/DMARC?
No. SPF/DKIM/DMARC authenticate email. DNSSEC authenticates DNS answers. Both improve trust but address different layers.
Do all browsers require DNSSEC?
Most browsers do not validate DNSSEC directly — resolvers do. Impact depends on ISP/recursor validation policies.
What is a DS record?
A delegation signer record at your registrar linking your domain to your zone's signing key — the trust anchor for the chain.
How often must I rotate keys?
Depends on your setup. Managed providers often rotate automatically. Self-hosted: plan KSK rollover annually or per your policy.
How do I verify DNSSEC works?
Use DNSViz, Verisign DNSSEC Analyzer, or dig +dnssec. A green validation chain means success.
Think you've fixed it?
Run a free scan to verify the issue is resolved. Upgrade to Pro on Plexa Trust for the full audit, monitoring alerts, and score history.
Verify with a free scan