Glossary

What Is DNSSEC?

DNSSEC (Domain Name System Security Extensions) is a set of DNS protocol extensions that add cryptographic signatures to DNS records. Validating resolvers can use those signatures to confirm that an answer came from the legitimate authoritative server and was not modified in transit.

Why DNSSEC Exists

Plain DNS has no built-in authentication. A user, ISP, or in-path attacker can return any answer they want to a recursive query, and the requesting client has no way to know. DNSSEC closes that gap by attaching cryptographic signatures to every record set.

The Chain of Trust

DNSSEC builds a chain of trust starting at the DNS root, through each TLD, down to the zone being validated. Each parent zone publishes a Delegation Signer (DS) record that authenticates the public key of its child zone, so a resolver only needs to trust the root keys to verify the signature on any DNSSEC-signed record.

Key Record Types

  • DNSKEY — the public key used to sign records in a zone.
  • RRSIG — a signature over a record set (RRset).
  • DS — published in the parent zone, authenticates the child's DNSKEY.
  • NSEC / NSEC3 — authenticated denial of existence (proves a name doesn't exist).

Algorithms

Modern DNSSEC favors elliptic-curve algorithms — ECDSA P-256 (algorithm 13) and Ed25519 (algorithm 15) — over the older RSA SHA-256 (algorithm 8). Newer algorithms produce smaller signatures, reducing DNS response sizes and the risk of fragmentation-related failures.

The Reality of Adoption

DNSSEC adoption is uneven. Most country-code TLDs (ccTLDs) and the DNS root are signed, but only a fraction of generic TLD domains have it enabled — often because hosting providers and registrars don't configure DS records by default. From a security operations perspective this is useful intel: domains without DNSSEC are slightly easier to spoof, and the absence may indicate a less-mature operator.

Limits of DNSSEC

DNSSEC authenticates the answer; it does not encrypt the query. For privacy you still need DoH (DNS over HTTPS) or DoT (DNS over TLS). It also doesn't prevent typosquatting or domain hijacks at the registrar — only forgery in transit.

DNSSEC Posture in Whisper

Whisper tracks DNSSEC presence, signing algorithm, and DS-record validity for every zone in its dataset. Analysts can answer "which of our vendors have not deployed DNSSEC" or "which DNSSEC-signed zones use deprecated RSA SHA-1" directly from the graph. Read more in the infrastructure intelligence entry.

Related Terms