What is DNSSEC?

The Domain Name System was designed in an era of implicit trust, so a plain DNS response carries no proof of where it came from. An attacker who can inject a forged answer into the resolution path can send users to a server they control without ever touching the real domain. DNSSEC closes that hole by signing DNS records with public-key cryptography.

With DNSSEC enabled, the owner of a zone signs each record set, and a validating resolver checks those signatures before trusting the answer. If the signature does not match, the resolver treats the response as bogus and discards it. The result is that users can be confident an answer for example.com genuinely came from the operator of example.com.

DNSSEC introduces several new record types that work together to build a verifiable chain from the root of DNS down to your zone:

• DNSKEY records publish the public keys used to sign a zone. A zone-signing key signs the records, and a key-signing key signs the DNSKEY set itself.
• RRSIG records are the actual cryptographic signatures attached to each record set, such as the signature covering all of a name's A records.
• DS records live in the parent zone and contain a hash of your key-signing key. They link your zone to the one above it.

Validation flows downward. The root zone is trusted via a built-in trust anchor, the root vouches for the TLD by holding its DS record, the TLD vouches for your domain by holding your DS record, and your DNSKEY then validates the RRSIG on the record you asked for. Each link signs the key of the link below, forming an unbroken chain of trust. Break any link and validation fails for the whole zone.

The headline threat DNSSEC defeats is the forged answer. In a DNS spoofing or cache poisoning attack, an attacker races to inject a fake response so a resolver caches a malicious address and hands it to every user who asks. Because the forged record cannot carry a valid signature, a validating resolver rejects it outright.

This matters because cache poisoning is high leverage: one poisoned entry can redirect many users at once until the cached value expires. DNSSEC removes that attack surface for any resolver that validates signatures.

DNSSEC is a focused tool, and it is important to understand what it does not do:

• It is authentication, not encryption. DNSSEC proves an answer is genuine but does nothing to hide which domains you look up. For privacy you need encrypted transport such as DNS over HTTPS.
• It does not stop account compromise. If an attacker gains access to your registrar or DNS provider, they can change records and re-sign the zone. The signatures will be valid because the change is authoritative.
• It does not protect the last mile by default. Validation usually happens at the recursive resolver, so the short hop between your device and a trusted resolver still relies on other protections.
• Operational mistakes cause outages. An expired signature or a botched key rollover can make an entire domain unresolvable for validating users.

Turning DNSSEC on is usually a two-step process: enable signing at your DNS provider, then publish the matching DS record at your registrar so the parent zone points to your key. Once both halves agree, validating resolvers begin enforcing your signatures.

Because a lapsed signature or a missing DS record breaks resolution for everyone, DNSSEC needs ongoing oversight rather than a one-time setup. ZoneWatcher's DNSSEC monitor continuously checks that your zone stays correctly signed and that the chain of trust is intact, and ZoneWatcher alerts you the moment signatures break or disappear so you can fix it before users see failures.