DNSSEC: How Domain Name Security Works



The classic Domain Name System (DNS) is one of the key components of how the Internet works. However, in its basic form DNS does not have a mechanism to verify the authenticity of data. To solve this problem, DNSSEC (Domain Name System Security Extensions) was developed — a set of extensions to DNS that add integrity and authenticity checks.

What is DNSSEC

DNSSEC is a set of cryptographic extensions to DNS that allow you to:

  • Verify the authenticity of records (source validation);
  • Protect against forged or tampered responses (integrity protection);
  • Build a trusted chain from the DNS root to a specific domain.

The principle of operation is based on digital signatures. Each DNS record is signed with a private key. The client (resolver) receives not only the value but also a cryptographic signature, which can be verified using the public key stored in the parent zone.

How DNSSEC Works

Visually, and very simply, on my real domain ostrich.kyiv.ua can build the following diagram:

  • Key creation. A key pair is generated for the domain:
    • KSK (Key Signing Key) — signs the keys;
    • ZSK (Zone Signing Key) — signs the records in the zone.
  • Zone signing. All records (A, MX, TXT, etc.) are signed using the ZSK.
  • Public key delegation. The hash of the public key (DS record) is published in the parent zone (for example, in .ua for the .com.ua domain).
  • Chain of trust. When a resolver receives a response, it verifies the signature, and then checks whether the key is trusted through the chain from the DNS root.

As a result, the user can be confident that the received DNS data is genuine and has not been tampered with.

Example of Use

Suppose a user visits my website. Without DNSSEC, a hacker could spoof a DNS response and redirect them to a phishing site. With DNSSEC, the browser (via the resolver) will only receive signed records, and if the signature does not match, the response will be rejected. Thus, the user will only reach the legitimate server.

DNSSEC Settings

The registrar of my domain name is a local provider that recently added DNSSEC to their services. I decided to use this opportunity and configure it. Since the registrar is not Cloudflare but my local provider, the configuration must be applied on the registrar’s side. However, the data itself is obtained from Cloudflare because my DNS records are hosted there.

Enabling the feature is quite simple. In the Cloudflare panel, go to DNS → Settings → DNSSEC → Enable.

A window will display all the necessary information for activation in your domain registrar’s control panel, with a warning:
“To enable DNSSEC you will need to add this DS record to your registrar. Most registrars will ask for only a few of the fields below. We have instructions for common registrars.”

My registrar requires filling in only 4 fields:

  • Key tag
  • Algorithm
  • Digest type
  • Digest

Literally within a few minutes, the DNSSEC status changes to “Success! ostrich.kyiv.ua is protected with DNSSEC.”

Verification

To check whether the changes have actually been applied, it is enough to run the following command in the terminal, which queries Cloudflare directly:

dig +dnssec ostrich.kyiv.ua @1.1.1.1

The expected result is an additional line in the output with an RRSIG record:

ostrich.kyiv.ua.        300     IN      RRSIG   A 13 3 300 20250926095050 20250924075050 34505 ostrich.kyiv.ua. IQE6axVd6YMeHnyXC2zW9ELt9P+6ZNzuhPbWQ4BqRnAtAGkQtIA7ETiE k/079aSTNqHk+fnnKidHU3Jp5pdORQ==

This record consists of the following parameters:

  • A — The signature covers A (IPv4) records.
  • 13 — Signature algorithm. 13 = ECDSA Curve P-256 with SHA-256 (a modern algorithm, used by Cloudflare by default).
  • 3 — Number of labels in the domain name (for ostrich.kyiv.ua → 3: ostrich, kyiv, ua).
  • 300 — TTL in seconds with which the record was signed (the maximum caching time of this signature).
  • 20250926095050 — Signature expiration time (UTC, format YYYYMMDDHHMMSS). Here → September 26, 2025, 09:50:50 UTC.
  • 20250924075050 — Signature inception time (UTC). Here → September 24, 2025, 07:50:50 UTC. (The signature is valid only within this time interval.)
  • 34505 — The DNSKEY key tag used for signing. The resolver looks for the DNSKEY with this tag to validate the signature.
  • ostrich.kyiv.ua. — The domain name of the signer.
  • IQE6axVd6YM… — The actual cryptographic signature (base64). Used together with DNSKEY to verify authenticity.

Thus, just a few minutes after applying the changes, additional DNS protection can be obtained.

There is also the dnssec-analyzer resource, which visually shows whether domain validation is working correctly.

Conclusion

DNSSEC is an important step toward improving Internet security. It does not replace HTTPS or VPN, but it makes DNS names more trustworthy.
For website owners, enabling DNSSEC is a way to demonstrate care for visitors’ security and readiness for future standards (such as DANE).
If your DNS provider supports DNSSEC (for example, Cloudflare), it is strongly recommended to enable it.