All posts
·7 min read·dns · dnssec · security

DNSSEC for people who don't run a registrar

DNSSEC explained in plain terms: what signing your DNS records actually protects, how to turn it on from your registrar dashboard, and the one mistake that takes sites offline.

DNSSEC has a reputation problem. The name sounds like infrastructure plumbing, the documentation reads like it was written for people who operate top-level domains, and most explanations start with key ceremonies and zone-signing algorithms. So most site owners file it under "not my job" and move on.

Here is the thing: whether DNSSEC is on for your domain is almost always your call, not your registrar's. It is usually a toggle in a dashboard you already log into. And whether it is on, off, or half-configured changes how vulnerable your visitors are to one specific, well-documented attack. This is DNSSEC explained for the person who owns a domain, not the person who runs a nameserver farm.

The problem DNSSEC solves

DNS was designed in the 1980s with no way to prove an answer is genuine. When a resolver asks "what is the IP for example.com?", it accepts whatever response arrives first and looks plausible. It has no way to check that the answer actually came from the nameserver it asked.

That gap enables cache poisoning: an attacker races the real nameserver, slips a forged answer to a resolver, and that resolver caches the lie. Everyone using that resolver now gets sent to the attacker's server when they type your domain. The address bar shows your domain. The site can be a pixel-perfect copy. Your visitors typed nothing wrong and clicked nothing suspicious, and they still ended up somewhere hostile.

DNSSEC closes that gap with signatures. Your DNS records get cryptographically signed, and validating resolvers check the signature before trusting the answer. A forged response fails validation and gets thrown away. The design is laid out in RFC 4033, and the short version is: DNS answers become verifiable instead of merely plausible.

What DNSSEC does not do

Clearing up the common confusions is half the battle, because DNSSEC gets blamed for things it never promised and credited for things it does not deliver.

It does not encrypt anything. DNSSEC signs answers so they can be verified; it does not hide them. Anyone watching the network can still see which domains get looked up. Privacy is a separate problem solved by DNS over HTTPS and DNS over TLS.

It is not a replacement for SSL. Your certificate proves the server you connected to holds the private key for your domain. DNSSEC proves the DNS answer that got the visitor to that server was not forged. They protect different steps of the same journey, and each covers a gap the other leaves open.

It does not make your site load faster or rank higher. There is no direct SEO reward. The payoff is that a class of redirection attack against your visitors stops working, and that your email authentication rests on DNS records that can be verified rather than merely trusted. SPF, DKIM, and DMARC all live in DNS; unsigned DNS is a soft spot underneath all three.

The chain of trust, briefly

You do not need the cryptographic details, but one concept matters because it explains every DNSSEC configuration step you will ever perform: the chain of trust.

Validation works top-down. The DNS root vouches for the .com zone, the .com zone vouches for your domain, and your domain's keys sign your records. The link between your domain and its parent zone is a small record called a DS record, which lives at your registrar and is essentially a fingerprint of your zone's signing key.

That is the whole mental model. Your DNS host signs your records and publishes the keys. Your registrar publishes the DS record that tells the world which key to trust. When those two agree, the chain is intact. When they disagree, things break, and they break in the worst possible direction, as covered below.

Turning it on when you don't run anything

The practical setup depends on one question: is your DNS hosted at the same company where you registered the domain?

Same company (the common case). If your registrar also runs your nameservers, DNSSEC is typically a single switch. Cloudflare, for example, generates the keys, signs the zone, and in many cases publishes the DS record automatically; their DNSSEC documentation walks through the whole flow. Many registrars offer the same one-click arrangement. You flip the toggle, wait for the parent zone to pick up the DS record, and you are signed.

Different companies. If you registered at one company but point your nameservers somewhere else, there is one manual handoff. Your DNS host generates the keys and gives you the DS record values. You paste those values into the DNSSEC section of your registrar's dashboard. That is the entire job: copy from the DNS host, paste at the registrar. Not sure who plays which role for your domain? A WHOIS lookup shows the registrar and the current DNSSEC delegation status, and the nameservers on record tell you who is actually answering queries.

Either way, no servers, no key ceremonies, no cron jobs. The providers handle signing and key rotation. Your part is a toggle or a copy-paste.

The one way DNSSEC bites you

DNSSEC fails closed. That is its most important operational property, and the one to respect.

If your signatures are broken, expired, or mismatched against the DS record at your registrar, validating resolvers do not quietly fall back to the unsigned answer. They return a failure, and your domain simply stops resolving for everyone behind those resolvers. Google's 8.8.8.8 and Cloudflare's 1.1.1.1 both validate, which together cover an enormous share of real-world lookups. A broken chain of trust looks like a total outage to most of the internet, while your own tests may still pass if your local resolver happens not to validate.

Nearly every real-world DNSSEC outage traces back to one scenario: changing DNS hosts without updating the DS record. You move your zone to a new provider, the new provider signs with its own keys, but your registrar still publishes the old provider's fingerprint. Chain broken, domain dark. The fix is procedural, not technical: when migrating DNS, either remove the DS record before the move and re-enable DNSSEC after, or update the DS record as part of the cutover checklist. If you have read our post on TTL planning during a migration, treat the DS record as one more item on that same checklist, with the same respect for caching delays.

This failure mode scares some people off entirely, which is the wrong lesson. Enabling DNSSEC on a stable domain is low-risk. The hazard is concentrated in migrations, and a checklist neutralizes it.

Checking where your domain stands

The uncomfortable part of DNSSEC is that both states of failure are silent. If it is off, nothing looks wrong; you are just carrying an unnecessary exposure. If it is misconfigured, your own browser may resolve the site fine while validating resolvers elsewhere return errors, so the outage is invisible from your desk.

The check has to come from outside. AcuityScan's DNS lookup queries your records against 20 global DNS resolvers, including the validating ones like Google and Cloudflare, so a domain that fails validation shows up as exactly what it is: resolving in some places and dead in others.

For the fuller picture, the free scan at acuityscan.com runs 350+ checks across 8 modules, and the DNS health module reports DNSSEC status alongside nameserver redundancy, TTL issues, and record-level problems. Signed, unsigned, or broken chain: it is a thirty-second check, and it is the difference between knowing your domain's answers can be verified and hoping nobody ever bothers to forge them.

Scan your own site

See what 350+ checks find on your domain.

Free, no signup, 60 seconds. Email auth · DNS · SSL · Performance · SEO · Accessibility · Privacy · Mobile.