DNSSEC Basics and How to Set Up DNS Security Extensions

Several silver padlocks on a red fence denoting the importance of DNSSEC Basics and DNS Security.

We’ve mentioned security and DNSSEC in a few different places in this series, but we wanted to give DNSSEC basics proper attention as we put together our final post on DNS. Due to the nature of DNS, it’s just not secure on its own. When the DNS protocol was first written, the internet was much smaller, and users were less concerned with security. Since then that’s changed significantly, and while DNSSEC has been around for almost 10 years adoption is far from universal.

Having DNSSEC basics down has become an absolute necessity. If you haven’t already gone back and optimized your DNS, check out the first four parts of this series to learn about how you can ensure your DNS is set up with best practices in mind.

What are the DNSSEC Basics?

DNSSEC, which stands for DNS Security Extensions, was created by a team of engineers tasked with solving the lack of authentication in the DNS protocol. Using digital signatures and public key cryptography, DNSSEC strengthens authentication in DNS. With DNSSEC, data owners can cryptographically sign data so that DNSSEC can verify its source and ultimately help prevent DNS spoofing or cache poisoning.

To go into more detail, each DNS zone has its own public/private key pair. DNS Zone owners keep their private key, as the name implies, private, while the public key is retrievable by anyone. These private keys are sometimes called DNSKEYS and they are used to help verify both that the data an end user is receiving is correct and has not been tampered with.

So DNSSEC actually provides two different types of security to the end user. It ensures that the zone in which the data originated is correct, while also checking that it hasn’t been modified in transit by a malicious party. This is done at every level of the DNS lookup process, from the root servers to the resolving nameservers. If a resolver can’t verify the data’s origin or it can’t confirm it hasn’t been tampered with then it will turn back an error to the end user.

The public keys are also signed by the parent DNS zone’s private signature, all the way up to the root server. This adds an extra layer of authentication so that there aren’t holes in the protocol for malicious entities to exploit.

Shouldn’t my DNS automatically include DNSSEC?

DNSSEC needs to be set up by the DNS zone owner and because it requires an extra step, it’s often not activated. However, setting up DNSSEC is a fairly painless process much like setting up authoritative DNS services. Many service providers will allow you to just toggle DNSSEC on. It’s so highly recommended that providers try to make setup easy on users, plus the more DNSSEC is deployed, the more secure the internet is overall.

Check the list below to see how to set up DNSSEC with your provider:



If you want to make sure your DNSSEC configuration is correct, Verisign provides a DNSSEC Analyzer you can use for free here.

Will DNSSEC only secure my domain?

Thankfully, DNSSEC can be used to secure and verify any type of record (A, AAAA, CNAME, MX) related to your hostname. Once you have set up DNSSEC for your hostname you are good to go on all record types. However, keep in mind that you shouldn’t set it up and then forget about it.

Monitoring your DNS and keeping track of new methods of optimization are important. Make sure that once you’ve set your DNS Zones properly and added on the DNSKEY you are following monitoring best practices on DNS. Here’s the post from earlier in this series which discusses DNS monitoring best practices.

DNSSEC, and DNS in general, are significant players in daily internet use. Securing your hostname in every way possible will help both reliability and availability and will prevent malicious parties from getting a hold of your hostname for their own gain.

We hope this series has given you a comprehensive look into DNSSEC basics and the significance of DNS. Subscribe in the sidebar to get updates to this series, as well as future helpful guides, how-to articles, and FAQs.

Reach out to us if you have any comments, questions, corrections, or content ideas about DNS and other technology or monitoring topics by emailing editorial@panopta.com.