DNSSEC (DNS Security Extensions)
Definition
DNSSEC (DNS Security Extensions) is a set of RFC standards that add cryptographic authentication to DNS responses. It prevents attackers from forging or tampering with DNS data by signing DNS records with digital signatures.
DNSSEC does not encrypt DNS queries (that is DoH/DoT). It ensures that the DNS data you receive is authentic and has not been altered.
How DNSSEC Works
Root Zone (.com) TLD Zone (.com) Domain Zone (example.com)
│ │ │
│ signs with private key │ │
│◀── DNSKEY + RRSIG ─────│ │
│ │ signs with private key │
│◀── DNSKEY + RRSIG ───────────────────────────────│
│ │ │
▼ ▼ ▼
Trust chain: Root → .com → example.com
(chain of trust via DS records)
DNSSEC Components
| Record |
Purpose |
| DNSKEY |
Public key for the zone |
| RRSIG |
Cryptographic signature of DNS records |
| DS (Delegation Signer) |
Hash of child zone’s DNSKEY, placed in parent zone |
| NSEC |
Proves a record does NOT exist (for denial of existence) |
| NSEC3 |
Hashed version of NSEC (prevents zone enumeration) |
| CDNSKEY |
Child’s DNSKEY published by the parent |
| CDS |
Child’s DS published by the parent |
DNSSEC Trust Chain
Root zone (trust anchor)
└── DS record → .com zone
└── DS record → example.com zone
└── DNSKEY + RRSIG → DNS records for example.com
The resolver validates the chain from the root (trust anchor) down to the queried domain. If any link is broken or signatures don’t match, the response is marked INSECURE or BOGUS.
DNSSEC vs DoH vs DoT
| Feature |
DNSSEC |
DoH |
DoT |
| Purpose |
Authenticate DNS data |
Encrypt DNS queries |
Encrypt DNS queries |
| Privacy |
No (queries visible) |
Yes |
Yes |
| Integrity |
Yes (data not tampered) |
No |
No |
| Standard |
RFC 4033-4035 |
RFC 8484 |
RFC 7858 |
| Use case |
Prevent cache poisoning |
Prevent DNS snooping |
Prevent DNS snooping |
DNSSEC Limitations
- No privacy: DNS queries are still visible (no encryption)
- Complexity: Key management, rotation, signing is complex
- Zone walking: NSEC reveals zone structure (NSEC3 mitigates)
- Not universally deployed: Many domains not DNSSEC-signed
- Cache poisoning protection: Only protects against forged responses, not all attacks
- No DDoS protection: DNSSEC adds response size (amplification risk)
DNSSEC Key Management
| Key Type |
Purpose |
Key Size |
| ZSK (Zone Signing Key) |
Signs DNS records |
2048-bit RSA or 256-bit ECDSA |
| KSK (Key Signing Key) |
Signs ZSK, anchors trust chain |
4096-bit RSA or 384-bit ECDSA |
| KSK rollover |
Replace KSK periodically |
Automated with KSK-ZSK separation |
DNSSEC in Infrastructure
| Component |
DNSSEC Role |
| BIND |
DNS server with DNSSEC support |
| Unbound |
Recursive resolver with DNSSEC validation |
| PowerDNS |
DNS server with DNSSEC |
| Cloudflare |
DNSSEC management for domains |
| Amazon Route 53 |
DNSSEC for hosted zones |
| NS1 |
DNSSEC for enterprise DNS |
DNSSEC Command Examples
# Check DNSSEC for a domain
dig +dnssec example.com ANY
# Verify DNSSEC chain
dig +validate example.com ANY
# Check DS record at parent
dig DS example.com +short
# Check RRSIG records
dig RRSIG example.com +short
- Dns — DoH encrypts DNS queries; DNSSEC authenticates responses |
- DoT — DoT encrypts DNS queries; DNSSEC authenticates responses |
- Pki — DNSSEC uses DNSKEY records (analogous to certificates) |
- Firewall — DNSSEC adds response size; firewall must allow larger responses |
References
