What is DNSSEC?

DNS Security Extensions and the Chain of Trust

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that responses are authentic and haven't been tampered with. It's a critical defense against DNS spoofing and cache poisoning.

Learn About DNS Security

Step 1: What is DNSSEC?

DNSSEC is a set of extensions to DNS that add cryptographic authentication to DNS responses. Without DNSSEC, a DNS resolver has no way to verify that a response actually came from the authoritative nameserver for that domain — making attacks like DNS poisoning and DNS hijacking possible.

With DNSSEC enabled, each DNS response includes a digital signature that the resolver can validate. If the signature doesn't match, the response is rejected — even if an attacker managed to inject a forged record.

DNSSEC doesn't encrypt DNS queries (that's what encrypted DNS does). Instead, it ensures that the answers you receive are the same answers the domain owner published.

Step 2: The Chain of Trust

DNSSEC works through a hierarchical chain of trust, starting from the DNS root zone:

  • Root zone: The root DNS servers sign the top-level domain (TLD) records, establishing the trust anchor
  • TLD zone: Each TLD (.com, .org, etc.) signs the records for domains registered under it
  • Domain zone: Individual domains sign their own DNS records (A, AAAA, MX, etc.) with their zone signing key
  • Validation: A DNSSEC-validating resolver follows this chain from root to domain, verifying each signature along the way

Key DNSSEC record types include RRSIG (the signature), DNSKEY (the public key), DS (the delegation signer linking parent and child zones), and NSEC/NSEC3 (proving a domain doesn't exist).

Step 3: DNSSEC vs Encrypted DNS

DNSSEC and encrypted DNS solve different problems and work together for comprehensive DNS security:

  • DNSSEC (authenticity): Verifies that DNS responses are genuine and unmodified — protects the authoritative side. Domain owners enable DNSSEC through their nameserver provider
  • Encrypted DNS (privacy): Encrypts DNS queries in transit so they can't be read or intercepted — protects the resolver side. Users enable it by using DoH or DoT

DNSSEC is configured on the authoritative DNS side — services like NOC.org manage DNSSEC signing for domain owners. Encrypted DNS is configured on the resolver side — CleanBrowsing supports DoH, DoT, and DNSCrypt for encrypted query transport.

Step 4: DNSSEC and CleanBrowsing

CleanBrowsing's DNS resolvers perform DNSSEC validation on all queries. When a domain has DNSSEC enabled and the signatures don't validate, CleanBrowsing returns an error rather than serving potentially poisoned records.

Combined with encrypted DNS transport and CleanBrowsing's DNS security features, DNSSEC validation provides an additional layer of defense ensuring that the DNS answers your devices receive are exactly what the domain owner intended.

Secure your DNS with validated, filtered resolution

Learn About DNS Security