DNSSEC (Domain Name System Security Extensions) adds digital signatures to your DNS records so that anyone looking up your domain can verify the answer really came from you — and wasn't forged along the way. Plain DNS has no such protection, which is why DNSSEC exists.
The problem DNSSEC solves
When someone visits your site, their computer asks the DNS system "what's the IP address for this domain?" Without DNSSEC, that answer can be forged. Two classic attacks exploit this:
- DNS spoofing — an attacker returns a fake answer, pointing your visitors to a server they control.
- Cache poisoning — a forged record gets stored in a resolver's cache and served to many users at once.
The result is the same: people typing your correct domain end up on an attacker's page — for phishing, malware or interception — with nothing visibly wrong.
How DNSSEC works (briefly)
DNSSEC signs each DNS record with a private key. Resolvers verify the signature against a public key, and a chain of trust runs all the way up to the root zone. If a record has been tampered with, the signature won't validate and the resolver rejects it. The "authenticated data" (AD) flag in a DNS response is the signal that validation succeeded.
How to check if DNSSEC is enabled
You can query your domain and look for the AD flag, or run a free scan that checks it for you. Many domains — including plenty of business sites — have never enabled DNSSEC, so don't assume it's on.
How to enable DNSSEC
It's usually a single toggle at your DNS provider or registrar. Modern providers like Cloudflare can enable it with one click and manage the keys for you. If your DNS is in one place and your registrar in another, you may need to copy a DS record between them — your provider's docs will walk you through it.
Is DNSSEC enough on its own?
No single control is. DNSSEC protects the integrity of your DNS, but you still need HTTPS, SPF, DKIM and DMARC, and clean security headers. The quickest way to see where your domain stands across all of these is a single passive scan.