What is
DNSSEC?
DNSSEC adds cryptographic signatures to DNS records to protect against DNS spoofing and cache poisoning attacks. It creates a chain of trust from the root DNS zone down to your domain.
Why it
matters.
Without DNSSEC, attackers can redirect your domain to malicious servers by poisoning DNS caches. This can lead to phishing attacks, data theft, and loss of trust. DNSSEC ensures that DNS responses are authentic and haven't been tampered with.
What can
go wrong.
If DNSSEC is not properly configured: attackers can hijack your DNS, redirect traffic to malicious sites, intercept emails, and compromise your entire domain infrastructure. Improper DNSSEC setup can also cause DNS resolution failures.
Technical
details.
DNSSEC uses public-key cryptography. The root zone has DNSKEY records, which are signed by RRSIG records. Each level (root → TLD → domain) has DS (Delegation Signer) records that link the chain together. The domain must have DNSKEY records and RRSIG records for all DNS record types.
Check your domain’s
DNSSEC status.
Run a free security check to see how your domain scores across all sixteen checks, including DNSSEC validation.