Guide

DNSSEC, explained — and how to enable it

DNSSEC signs your DNS so answers can't be forged in transit — protecting your mail and website from redirection.

Check your DNSSEC status

What it is

DNSSEC (DNS Security Extensions) cryptographically signs your DNS records so that resolvers can verify the answers really came from you and weren't tampered with along the way. It's enabled at your DNS host, which generates the signing keys; a matching DS record placed at your registrar links you into the global chain of trust.

Why it matters

Without DNSSEC, DNS answers can be forged (cache poisoning), potentially pointing your website or mail servers at an attacker's infrastructure.

DNSSEC guarantees the authenticity and integrity of your DNS — a foundational layer beneath SPF, DKIM and everything else that relies on DNS.

How to set it up

  1. 1Enable DNSSEC in your DNS provider's control panel — it generates the keys and signs your zone automatically.
  2. 2Copy the DS record (or key details) it produces and add it at your domain registrar.
  3. 3Allow time for the chain of trust to validate globally — this can take up to 24–48 hours.

Record structure & options

DNSSEC cryptographically signs your DNS so answers can't be forged in transit. It's toggled on at your DNS provider, which generates the keys; a matching DS record at your registrar completes the chain of trust.

Where it lives
at your DNS host (DNSKEY in your zone) + a DS record at your registrar
Example
DS  12345 13 2  49FD...  (published at your registrar)
Options
DNSKEY
The public signing key(s) published in your zone.
DS
A digest of your key, published at the parent (your registrar) — this links you into the global chain of trust.
RRSIG
The signatures automatically attached to your records.

Unlike the others, you don't hand-craft this record — enable DNSSEC in your DNS host and paste the DS record at your registrar.

Common problems

My DNS host and registrar are different companies.
That's fine — enable DNSSEC at the DNS host, then paste the DS record it gives you into the registrar. The two just need to be kept in sync.
Enabling DNSSEC broke my DNS.
Usually a mismatched or stale DS record at the registrar. If the DS doesn't match the live signing key, resolvers reject everything. Remove the DS record, fix it, and re-add.
Do I need to renew or rotate anything?
Most managed DNS providers handle key rollover automatically. If you self-manage, you'll need to roll keys periodically and update the DS record.

Check it — then keep it healthy

Run a free scan now, or let DomainHealthPro monitor it continuously and alert you the moment it breaks.

More guides