DNSSEC: sign your DNS records to prevent spoofing attacks

The problem: DNS is not secure by default

The DNS (Domain Name System) is the Internet's directory: it translates human-readable names (your-site.com) into numerical IP addresses that computers understand (93.184.216.34). Without protection, this system is vulnerable to DNS spoofing (also called DNS cache poisoning): an attacker can forge DNS responses to redirect visitors to a fake site, even when they have typed the correct address.

This type of attack is particularly insidious because it is invisible to the user: the URL in the address bar looks correct, only the destination IP address has been changed behind the scenes.

How DNSSEC works: the chain of trust

DNSSEC (DNS Security Extensions) adds a cryptographic signature (a mathematical fingerprint that proves authenticity) to each DNS record. Trust relies on a hierarchy:

• The DNS Root managed by ICANN (Internet Corporation for Assigned Names and Numbers — the international body managing Internet resources) signs the TLDs
• The TLD (Top-Level Domain, like .com, .fr, .org) signs your domain
• Your domain publishes its own keys and signed records
• DNS resolvers (servers that answer DNS queries) verify the entire chain before returning a response

DNSSEC records to know

• DNSKEY: contains the public key of your DNS zone. The ZSK (Zone Signing Key) signs regular records; the KSK (Key Signing Key) signs the ZSK.
• RRSIG (Resource Record Signature): the cryptographic signature attached to each DNS record.
• DS (Delegation Signer): the fingerprint of your KSK published by the parent TLD registry, creating the trust link between levels.

Enable DNSSEC at your registrar

Your registrar is the company where you purchased your domain name (OVH, Gandi, Ionos, Hostinger…). DNSSEC activation is usually just a few clicks in their interface:

1. Enable DNSSEC in your registrar's DNS management panel
2. The registrar generates the keys and automatically publishes DNSKEY and DS records
3. DNS propagation takes a few hours to 48 hours

Verify DNSSEC is active

# Check DNSKEY records
dig DNSKEY your-domain.com +short

# Check DS record at TLD level
dig DS your-domain.com @8.8.8.8 +short

DNSSEC does not encrypt: an important nuance

DNSSEC guarantees the authenticity of DNS responses (they have not been tampered with), but does not encrypt them (their content remains readable). To encrypt DNS queries, there is DoH (DNS over HTTPS) and DoT (DNS over TLS) — complementary technologies.

Check your DNS configuration

TheSiteFuse verifies DNSSEC presence and validity on your domain by querying Google (8.8.8.8) and Cloudflare (1.1.1.1) public resolvers directly. Run a free audit for a complete assessment of your DNS configuration.