DNSSEC Explained: Securing the Domain Name System

Why DNS Needs Security

Standard DNS has no built-in authentication. When your resolver queries a nameserver, it has no way to verify that the response is genuine. This vulnerability enables:

• Cache poisoning — An attacker injects forged records into a resolver's cache, redirecting users to malicious sites.
• Man-in-the-middle attacks — Intercepting and modifying DNS responses in transit.
• DNS spoofing — Forging responses to redirect traffic.

What DNSSEC Does

DNSSEC (DNS Security Extensions) adds a layer of cryptographic verification to DNS. It does not encrypt queries — it signs responses so resolvers can verify their authenticity.

The chain works like this:

Root Zone (.) signs → .com zone
.com zone signs → example.com zone
example.com signs → A record for www.example.com

Key Record Types

How Validation Works

1. Your resolver requests www.example.com.
2. The authoritative server returns the A record plus its RRSIG signature.
3. The resolver fetches the DNSKEY for example.com and verifies the signature.
4. The resolver checks the DS record in the .com zone to verify example.com's key.
5. This chain continues up to the root zone, whose keys are known and trusted.

Checking DNSSEC Status

# Query with DNSSEC validation
dig +dnssec example.com A

# Check if a domain is signed
dig +short example.com DNSKEY
# Non-empty output = DNSSEC enabled

# Verify the chain of trust
delv example.com A
# Output: "fully validated"

Limitations

• DNSSEC does not encrypt DNS queries — use DoH or DoT for that.
• Misconfigured DNSSEC can cause resolution failures (SERVFAIL).
• Not all domains have DNSSEC enabled — adoption is growing but incomplete.
• NSEC records can be walked to enumerate all records in a zone (NSEC3 mitigates this).