DNSSEC

DNSSEC (DNS Security Extensions) is a set of specifications that add cryptographic signatures to DNS records so that resolvers can verify a response actually came from the authoritative zone and was not modified in transit. Plain DNS has no built-in authentication: a resolver accepts whatever answer arrives first, which is exactly the weakness that cache poisoning and on-path spoofing exploit. DNSSEC closes that gap by signing each record set with a private key and publishing the matching public key in the zone, letting resolvers validate the answer against a chain of trust rooted at the DNS root zone. Note that DNSSEC authenticates data integrity and origin — it does not encrypt your queries (that is the job of DNS-over-HTTPS or DNS-over-TLS).

Why it matters

If an attacker can forge a DNS response for your domain, they can silently redirect users and mail to infrastructure they control — enabling phishing, credential theft, traffic interception, and fraudulent TLS certificate issuance via domain-validation hijacking. DNSSEC makes those forged answers fail validation. It is one layer of a broader DNS hygiene posture that also includes DMARC, SPF, DKIM, and CAA records; see our DNS security checklist for how these fit together.

How it works

1. Each record set (A, MX, TXT, etc.) is signed, producing an RRSIG record.
2. The signing public keys are published as DNSKEY records, typically split into a Key Signing Key (KSK) and a Zone Signing Key (ZSK).
3. A hash of the KSK is placed in the parent zone as a DS record (for example, your .com registry holds the DS record for your domain), linking each zone to the one above it.
4. A validating resolver walks this chain from the signed root down to your zone; if any signature is missing, expired, or mismatched, it returns SERVFAIL instead of a forged answer.

A concrete example

Suppose login.example.com resolves to your real IP. Without DNSSEC, an attacker poisoning a resolver could substitute their own IP, and users would see no warning. With DNSSEC, the forged response lacks a valid RRSIG that chains to the DS record in .com, so a validating resolver rejects it. The flip side: DNSSEC must be operated carefully — an expired RRSIG or a stale DS record after a key rollover causes legitimate lookups to fail, taking the domain effectively offline.

On your external attack surface

DNSSEC status is publicly observable: anyone can query for DNSKEY and DS records, and the absence of a valid chain tells attackers your domain is susceptible to spoofing. FortWatch's DNS scanner inspects your zones as part of DNS monitoring, checks whether DNSSEC is enabled and whether the DS record in the parent zone matches your published keys, and flags broken or incomplete chains alongside other DNS findings such as missing email authentication and dangling records. Each finding gets a severity and AI remediation guidance, so a misconfiguration like a stale DS record surfaces before it causes an outage or enables an attack. You can also inspect your own records anytime with our DNS lookup tool.