Article Summary: This article explains what DNSSEC is, how the chain of trust works from root zone to your domain, and what each DNSSEC record type does. It also walks through the most common reasons DNSSEC validation fails and how to fix them, making it an essential reference for anyone deploying or auditing DNS security.
What Is DNSSEC?
DNSSEC (DNS Security Extensions), defined in RFC 4033, is a suite of specifications that extends the DNS protocol with public-key cryptography. Without DNSSEC, DNS responses carry no authentication whatsoever — a malicious actor positioned between a resolver and an authoritative nameserver can forge any DNS response and redirect users to fraudulent servers. This attack is known as DNS spoofing or DNS cache poisoning.
DNSSEC solves this by having zone operators cryptographically sign every resource record set (RRset) in their zone. Validating resolvers — such as Cloudflare 1.1.1.1, Google 8.8.8.8, and Quad9 9.9.9.9 — check these signatures before returning results to clients. If a signature is missing, expired, or does not match, the resolver refuses to answer with a SERVFAIL response, indicating that the zone's integrity cannot be verified.
How It Works
Zone Signing and Key Types
DNSSEC uses two classes of keys. The Zone Signing Key (ZSK) signs the individual record sets within the zone, such as A records, MX records, and TXT records. The Key Signing Key (KSK) signs only the DNSKEY record set itself, providing an extra layer of security — the KSK is used infrequently and can be kept offline or in a hardware security module. Both keys are published in the zone as DNSKEY records, and the corresponding RRSIG signatures are published alongside every record set they protect.
The Chain of Trust
DNSSEC's security model depends on a chain of trust that begins at the DNS root zone (signed by ICANN) and extends downward through every delegated zone. When a parent zone — for example, the .com registry — delegates a child zone, it publishes a DS (Delegation Signer) record containing a hash of the child zone's KSK. A validating resolver can therefore confirm the child's DNSKEY by checking that its hash matches the DS record in the parent zone, which is itself signed and trusted. This chain continues all the way from the root to your domain.
Authenticated Denial of Existence
A challenge for DNSSEC is proving that a record does not exist without allowing an attacker to inject false negative responses. This is handled by NSEC and NSEC3 records. NSEC records list the next existing name in the zone alphabetically, creating a provable gap. NSEC3 is a privacy-preserving variant that uses hashed names rather than plaintext, making it harder to enumerate the full contents of a zone.
Common Use Cases
Verifying DNSSEC Before and After Going Live
Pre-Launch DNSSEC Audit
When a registrar or DNS hosting provider enables DNSSEC for a domain, it is critical to verify that all three core record types — DNSKEY, DS, and RRSIG — are present and consistent before announcing the change publicly. A missing or mismatched DS record at the parent zone will cause the domain to fail validation for all DNSSEC-validating resolvers worldwide, effectively making the domain unreachable for a significant portion of internet users.
Diagnosing DNSSEC Failures After DNS Migration
Broken Chain After Nameserver Change
One of the most common and severe DNS misconfigurations occurs when a domain owner changes their DNS hosting provider without first removing the existing DS record from the parent zone. The new nameservers generate different DNSSEC keys, so the old DS record no longer matches, breaking the chain of trust. This DNSSEC test tool instantly identifies whether DNSKEY, DS, and RRSIG records are present and consistent, allowing you to pinpoint exactly which part of the chain is broken.
Compliance and Security Auditing
Government and Financial Sector Requirements
Many regulatory frameworks and government agencies require DNSSEC deployment for domains handling sensitive data. The US federal government's HTTPS-Only Standard and related mandates require DNSSEC on .gov domains. Financial institutions and healthcare organizations increasingly treat DNSSEC as a baseline security control alongside DMARC, MTA-STS, and certificate transparency. This tool provides instant validation to support periodic compliance audits.
Technical Reference
| Record | Role | Where It Lives | Contains |
|---|---|---|---|
| DNSKEY | Publishes the zone's public signing keys (ZSK and KSK) | Child zone (your domain) | Flags, protocol, algorithm, and Base64-encoded public key |
| DS | Delegation Signer — links the parent zone's trust to the child's KSK | Parent zone (e.g., .com registry) | Key tag, algorithm, digest type, and hash of the child's KSK |
| RRSIG | Cryptographic signature over a record set (RRset) | Child zone, alongside every signed RRset | Type covered, algorithm, labels, TTL, expiration, inception, key tag, and signature |
| NSEC | Authenticated denial of existence using sorted plaintext names | Child zone | Next owner name in zone order and bitmap of existing record types |
| NSEC3 | Privacy-preserving authenticated denial using hashed names | Child zone | Hash algorithm, flags, iterations, salt, hashed next owner, and type bitmap |
| CDS | Child-published DS record used for automated KSK rollover signaling | Child zone | Same fields as DS; signals desired parent DS update to the registry |
| CDNSKEY | Child-published DNSKEY for automated trust anchor signaling | Child zone | Same fields as DNSKEY; used alongside CDS for automated rollover |
Frequently Asked Questions
What is DNSSEC?
DNSSEC is a set of extensions to the DNS protocol that uses public-key cryptography to authenticate DNS responses. It allows resolvers to verify that the A record, MX record, or other data they received from a nameserver has not been altered in transit. DNSSEC does not encrypt DNS traffic — it authenticates it. For encrypted DNS transport, separate protocols such as DNS over HTTPS (DoH) and DNS over TLS (DoT) are used.
Is DNSSEC required?
DNSSEC is not universally required, but it is strongly recommended for any domain handling sensitive operations. It is mandatory for .gov domains in the United States and many country-code TLDs (ccTLDs) require or incentivize it. For commercial domains, DNSSEC significantly raises the bar against DNS cache poisoning attacks and is increasingly expected as a baseline security control by enterprise security teams and compliance auditors.
Why does my domain fail DNSSEC validation?
The most common causes of DNSSEC validation failure are: (1) a missing or stale DS record in the parent zone — typically after a DNS hosting migration where the old DS was not removed before switching; (2) expired RRSIG signatures, which happens when the zone signing process fails or is paused; and (3) a key mismatch between the DNSKEY in the child zone and the DS hash in the parent zone. This tool identifies which records are present and which are missing, helping you pinpoint the exact failure.
What is the chain of trust in DNSSEC?
The chain of trust is the hierarchical sequence of cryptographic verifications that allows a resolver to trust a DNSSEC-signed response without having prior knowledge of the zone's keys. It starts with the DNS root zone's trust anchor (a public key distributed to all validating resolvers), then uses DS records at each delegation point to verify the child zone's DNSKEY, and finally uses RRSIG records to verify individual resource record sets. If any link in this chain is broken, the entire chain fails and the zone is considered bogus.
Conclusion and Takeaways
DNSSEC is one of the most important and most frequently misconfigured aspects of DNS. A broken chain of trust can make a domain completely unreachable for millions of users on validating resolvers. The DNSSEC Test tool gives you instant visibility into whether your DNSKEY, DS, and RRSIG records are present and correctly configured, without needing to run complex command-line validation tools. Use it after any DNS migration, before going live with a new domain, and as part of regular security audits.
Ready to Test Your DNSSEC Configuration?
Use the DNSSEC Test tool above — no login required, instant chain-of-trust validation.