DNS Basics • 2026-04-03 • 8 min read

What is DNSSEC?

Learn what DNSSEC is, what DNSKEY and DS records do, and why DNSSEC matters for DNS integrity.

What DNSSEC is

DNSSEC (Domain Name System Security Extensions) adds cryptographic validation to DNS so resolvers can verify that responses have not been altered.

It protects the integrity and authenticity of DNS data, but it does not encrypt DNS traffic.

Traditional DNS does not include built-in mechanisms to verify that responses are genuine.

DNSSEC helps mitigate risks such as spoofed responses and certain cache poisoning attacks by allowing resolvers to validate a chain of trust.

DNSSEC works by signing DNS records with private keys and allowing resolvers to verify those signatures using public keys published in DNS.

Each zone signs its own data, and trust is established through a chain that links child zones to parent zones.

; Example flow
example.com. IN DNSKEY ...
example.com. IN RRSIG ...

; Parent zone
example.com. IN DS ...

example.com. 3600 IN DNSKEY 257 3 8 AwEAAc...
example.com. 3600 IN RRSIG A 8 2 3600 ...
example.com. 3600 IN DS 12345 8 2 ABCDEF...

DNSSEC validation relies on a chain of trust starting from the root zone.

Each level (root → TLD → domain) validates the next using DS and DNSKEY records.

Root zone
  ↓ (DS)
.com
  ↓ (DS)
example.com
  ↓ (DNSKEY + RRSIG)
A / MX / other records

If any link in this chain is broken, validation will fail.

A practical starting point is to confirm that DNSKEY records exist in the zone and that matching DS records exist at the parent level.

# Check DNSKEY
dig DNSKEY example.com

# Check DS at parent
dig DS example.com

# Validate with DNSSEC
dig +dnssec example.com

These checks help confirm that DNSSEC is present and that the chain of trust is likely intact.

DNSSEC helps ensure that users are directed to the correct destinations by preventing tampering with DNS responses.

It is particularly important for protecting critical infrastructure, authentication flows, and services that rely on DNS trust.