Security

DNSSEC for small sites: useful, but not magic

DNSSEC authenticates DNS answers. It does not encrypt DNS, stop DDoS attacks, or fix weak registrar security.

DNSSEC is worth understanding because DNS is one of the few systems every website depends on. It is also easy to oversell. DNSSEC helps resolvers verify that DNS answers came from the expected zone and were not altered. It does not hide what domain was queried.

What it actually protects

The DNSSEC family of records lets a resolver validate a chain from the DNS root through the parent zone to your domain. When the chain works, a forged answer should fail validation instead of silently sending a user to the wrong address.

  • RRSIG signs DNS record sets.
  • DNSKEY publishes the zone's public signing keys.
  • DS connects the parent zone to the child zone's DNSKEY.
  • NSEC or NSEC3 proves that a name does not exist.

The common mistake

The common mistake is thinking the DNS provider switch is the whole job. Cloudflare signs the zone and generates DS record values, but the parent zone has to publish the right DS record. If the registrar has stale DS material from the previous DNS provider, the domain can fail validation after a nameserver move.

What DNSSEC does not do

  • It does not encrypt DNS queries or answers.
  • It does not protect the registrar account from takeover.
  • It does not prevent DDoS attacks.
  • It does not replace HTTPS, HSTS, SPF, DKIM, DMARC, or account-level 2FA.

A safe enablement path

  1. Confirm the current authoritative DNS provider.
  2. If migrating, disable or migrate old DNSSEC material before changing nameservers.
  3. Enable DNSSEC at the authoritative provider.
  4. Add the generated DS record at the registrar.
  5. Validate with at least two independent DNSSEC checkers.
  6. Document how to roll back and where registrar credentials live.

Sources

  1. ICANN DNSSEC explainerPlain-language DNSSEC background.
  2. RFC 4033DNSSEC introduction, capabilities, and limits.
  3. RFC 9364DNSSEC as current best practice for DNS data origin authentication.
  4. Cloudflare DNSSEC docsCloudflare enablement and DS record workflow.
  5. APNIC DNSSEC validation statisticsValidation-rate context by country.