Guide
DNSSEC, explained — and how to enable it
DNSSEC signs your DNS so answers can't be forged in transit — protecting your mail and website from redirection.
Check your DNSSEC status →What it is
DNSSEC (DNS Security Extensions) cryptographically signs your DNS records so that resolvers can verify the answers really came from you and weren't tampered with along the way. It's enabled at your DNS host, which generates the signing keys; a matching DS record placed at your registrar links you into the global chain of trust.
Why it matters
Without DNSSEC, DNS answers can be forged (cache poisoning), potentially pointing your website or mail servers at an attacker's infrastructure.
DNSSEC guarantees the authenticity and integrity of your DNS — a foundational layer beneath SPF, DKIM and everything else that relies on DNS.
How to set it up
- 1Enable DNSSEC in your DNS provider's control panel — it generates the keys and signs your zone automatically.
- 2Copy the DS record (or key details) it produces and add it at your domain registrar.
- 3Allow time for the chain of trust to validate globally — this can take up to 24–48 hours.
Record structure & options
DNSSEC cryptographically signs your DNS so answers can't be forged in transit. It's toggled on at your DNS provider, which generates the keys; a matching DS record at your registrar completes the chain of trust.
DS 12345 13 2 49FD... (published at your registrar)
- DNSKEY
- The public signing key(s) published in your zone.
- DS
- A digest of your key, published at the parent (your registrar) — this links you into the global chain of trust.
- RRSIG
- The signatures automatically attached to your records.
Unlike the others, you don't hand-craft this record — enable DNSSEC in your DNS host and paste the DS record at your registrar.
Common problems
- My DNS host and registrar are different companies.
- That's fine — enable DNSSEC at the DNS host, then paste the DS record it gives you into the registrar. The two just need to be kept in sync.
- Enabling DNSSEC broke my DNS.
- Usually a mismatched or stale DS record at the registrar. If the DS doesn't match the live signing key, resolvers reject everything. Remove the DS record, fix it, and re-add.
- Do I need to renew or rotate anything?
- Most managed DNS providers handle key rollover automatically. If you self-manage, you'll need to roll keys periodically and update the DS record.
Check it — then keep it healthy
Run a free scan now, or let DomainHealthPro monitor it continuously and alert you the moment it breaks.