How DNSSEC Works

What DNSSEC Does #

DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records so that DNS resolvers can verify that the information received from authoritative servers is authentic.

Without DNSSEC, attackers could potentially manipulate DNS responses and redirect users to malicious servers through attacks such as DNS cache poisoning.

DNSSEC prevents these attacks by allowing resolvers to verify that DNS data has not been modified during transmission.

DNSSEC and the DNS Resolution Process #

DNSSEC operates on top of the normal DNS resolution process. Queries still follow the standard DNS hierarchy:

• Client → Recursive Resolver
• Resolver → Root Name Servers
• Resolver → TLD Name Servers
• Resolver → Authoritative Name Servers

DNS queries typically use UDP port 53, but if responses are too large (for example when DNSSEC signatures are included), the server may set the TC (Truncated) flag and the client retries using TCP.

Because DNSSEC responses are larger than traditional DNS responses, TCP fallback is more common when DNSSEC is enabled.

Signing DNS Zones #

DNSSEC signatures are created by the authoritative DNS servers for a domain. The zone is signed using cryptographic keys.

When DNSSEC is enabled on authoritative servers such as BIND9, the server automatically generates additional records required for DNSSEC operation.

These records include:

• DNSKEY – public keys used to verify signatures
• RRSIG – digital signatures for DNS record sets
• NSEC / NSEC3 – records used to prove non-existence of names

When zone signing is enabled, BIND9 automatically creates and maintains these records when the zone is loaded or updated.

Important DNSSEC Record Types #

RRSIG Records

The RRSIG record contains a digital signature for a DNS record set. This signature allows resolvers to verify that the data was produced by the authoritative server and has not been altered.

DNSKEY Records

The DNSKEY record contains the public keys used to verify DNSSEC signatures.

NSEC and NSEC3

NSEC and NSEC3 records are used to prove that a domain name does not exist.

Without these records, attackers could forge negative DNS responses.

The DNSSEC Chain of Trust #

DNSSEC relies on a hierarchical trust model known as the chain of trust.

Each zone signs its own DNSKEY records, and the parent zone publishes a DS (Delegation Signer) record that references those keys.

This creates a validation chain from:

• Root Zone
• Top Level Domain (TLD)
• Authoritative Domain Zone

Because the root zone is trusted by DNS resolvers, this chain allows resolvers to verify the authenticity of DNS records across the entire Internet.

DNSSEC Validation by Recursive Resolvers #

Recursive resolvers perform DNSSEC validation before returning DNS responses to clients.

The resolver performs the following steps:

1. The resolver queries the authoritative server for DNS records.
2. The server returns the records along with RRSIG signatures.
3. The resolver retrieves the DNSKEY records for the zone.
4. The resolver verifies the signatures using the public key.
5. The resolver verifies the chain of trust through the DS record in the parent zone.
6. If validation succeeds, the resolver returns the answer to the client.

If validation fails, the resolver returns a SERVFAIL response instead of potentially corrupted data.

Why DNSSEC Matters #

DNSSEC protects Internet users and organizations from attacks that manipulate DNS responses.

It is widely used by:

• government networks
• Internet service providers
• enterprise DNS infrastructures
• security-focused DNS services

DNSSEC is also an important foundation for other technologies such as DANE, which allows TLS certificates to be published and verified through DNS.

Related DNS Topics

• How DNS Works
• What is DNSSEC?
• What is DoH?
• What is DoT?
• What is DoQ?
• Can DNS zone transfers be encrypted?