What is DNSSEC?

What is DNSSEC or Domain Name System Security Extensions?

Ivan Kovachev avatar
Written by Ivan Kovachev
Updated over a week ago

The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on IP networks.

It is a set of extensions which provide DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

Since the original specification of DNS did not include any security details, DNSSEC attempts --while maintaining backward compatibility-- to protect applications (and caching resolvers serving those applications) from using forged or manipulated DNS data (such as that created by DNS cache poisoning).

All answers from DNSSEC protected zones are digitally signed, verifying their authenticity.
Please note that the initial DNSSEC specification RFC 2535 has become obsolete, due to scalability concerns. DNSSEC-bis is the current protocol. For further information, see: RFC 4033, RFC 4034, and RFC 4035

DNSSEC Complexities:

Before you consider turning on DNSSEC for you domain, there are a few things to consider and discuss with your DNS provider:

  • Zone Content Exposure

  • Key Management

  • Reflection/Amplification Threat protection

OnDMARC will display the DNSSEC status of your domains in your Control Panel.

Create a free OnDMARC account.

Did this answer your question?