What is DNSSEC? Protect your domain from spoofing
Published on July 3, 2026 7 min read
DNSSEC secures your DNS with digital signatures against spoofing and cache poisoning. Learn how it works and how to enable it for your domain.
DNSSEC is a security extension for the Domain Name System (DNS) that adds a digital signature to DNS answers. It lets the computer that looks up a domain name on your visitor's behalf check that the answer really comes from your domain and was not altered on the way. In this article you will learn what DNSSEC is, how it defends against DNS spoofing and cache poisoning, how it works through a chain of trust with DS and DNSKEY records, and how to switch it on for your own domain.
What is DNSSEC?
DNSSEC stands for Domain Name System Security Extensions. DNS is the phone book of the internet: it translates a domain name into the right IP address, for example through the A record. The problem is that classic DNS has no built-in way to check whether an answer is genuine. A resolver, the DNS server that carries out the lookup for you, will in principle trust any answer that arrives.
DNSSEC solves this by attaching a digital signature to each answer. A resolver that validates DNSSEC can then confirm that the answer comes from the correct source and has not been tampered with. One thing is worth stressing here: DNSSEC proves that DNS data is authentic and unchanged, but it does not encrypt your DNS traffic. It makes the answers trustworthy, not secret.
Why does DNSSEC matter?
Without DNSSEC, an attacker can try to slip in fake DNS answers. This is called DNS spoofing, and when such a forged answer ends up in a resolver's cache, it becomes cache poisoning. The resolver then hands out the fake answer to everyone who asks for that domain, for as long as it stays cached.
The result is that visitors are quietly sent to the wrong server while they still see the correct domain name in their address bar. That opens the door to phishing, password theft and the interception of email. DNSSEC stops this attack from working: a resolver that checks the signature recognises a forged answer and rejects it.
DNSSEC complements other security measures. HTTPS protects the connection to your server, a CAA record controls which certificate authorities may issue certificates for your domain, and DNSSEC protects the lookup itself. Together they cover different layers.
How does DNSSEC work?
DNSSEC relies on digital signatures and on a chain of trust that reaches all the way up to the root of the DNS. A few terms help to make sense of what happens.
Signing with keys
When you enable DNSSEC, your zone is signed. Each set of records receives a digital signature, which is stored in an RRSIG record. Your A record and your other records still exist as before, but a signature is added to them.
The matching public keys are published in DNSKEY records. There are usually two roles: a Key Signing Key (KSK) that signs the set of keys, and a Zone Signing Key (ZSK) that signs the ordinary records. Some providers use a single combined key for this instead.
The chain of trust
The link to the outside world runs through the DS record. This is a short hash (a kind of fingerprint) of your key, and it does not live in your own zone but in the parent zone at the registry: the operator of the domain extension. For .nl, that operator is SIDN.
This creates a chain: the root of the DNS points to top-level domains such as .nl, .nl points through the DS record to your domain, and your domain signs its own records. The root has been signed since 2010 and acts as the trust anchor. A validating resolver checks the signatures step by step up to that root. If one link does not add up, the answer is rejected.
DNSSEC also signs the answer to a query for a name that does not exist. That is what the NSEC and NSEC3 records are for: they prove in a signed way that a record really is absent, so that an empty answer cannot be forged either.
| Record | Purpose |
|---|---|
| DNSKEY | Holds the public keys of your zone |
| RRSIG | The digital signature attached to each set of records |
| DS | Hash of your key in the parent zone, links you to the registry |
| NSEC / NSEC3 | Proves in a signed way that a record does not exist |
How to activate DNSSEC step by step
Activating DNSSEC always involves two sides. First you switch on signing at the party that manages your DNS, and then you publish the DS record at your registrar so the registry places it in the parent zone. When both are the same party, this is often a single action.
- Make sure your domain uses the nameservers of your DNS provider. At LJPc hosting these are ns1.ljpc.network through ns4.ljpc.network. You can read more in the article about the NS record.
- Enable DNSSEC or zone signing at your DNS provider. It generates the keys, signs the zone and refreshes the signatures automatically.
- Publish the DS record (or the DNSKEY) at your registrar, so the registry adds your domain to the chain of trust.
- Afterwards, check that the chain is valid with a DNSSEC checking tool or a validating resolver.
At LJPc hosting, DNSSEC is available for domains that are registered with LJPc and use the LJPc nameservers. Because LJPc manages both your DNS and your domain registration, the DS record is published in the parent zone automatically, so you never have to copy keys or hashes by hand. The status of signed domains is also monitored continuously. If you would like DNSSEC switched on, or you are not sure whether it is already active, get in touch with support.
Whether DNSSEC is possible depends on the domain extension. Most top-level domains now support it. For .nl, SIDN supports DNSSEC, and more than half of all .nl domains are already signed. SIDN uses modern, efficient keys based on ECDSA (algorithm 13).
Checking DNSSEC and common mistakes
Checking your setup afterwards is important, because a DNSSEC error does not always show up straight away. Use an online DNSSEC checking tool, or run the command dig +dnssec yourdomain.nl and look for RRSIG lines and the AD flag (Authenticated Data). That flag means the resolver validated the answer successfully.
Most problems happen because the two sides do not match, or because DNSSEC is switched off in the wrong order.
| Symptom | Cause | Solution |
|---|---|---|
| Site or email unreachable (SERVFAIL) after switching on | The DS record does not match the active key, or the signatures have expired | Check that the DS record matches the current key and have your provider re-sign the zone |
| DNSSEC looks enabled but is not validated | There is no DS record at the registrar yet | Publish the DS record in the parent zone |
| Domain unreachable after moving DNS or registrar | DNSSEC was not switched off cleanly before the move | Remove the DS record first, wait for the TTL, then switch off signing |
Remember that last rule above all: switch DNSSEC off in reverse order before you move your domain or your DNS to another party. The TTL is the time a DNS answer may be cached, so wait for it to pass before you take the next step.
Stuck, or want to be sure that DNSSEC is set up correctly for your domain? Feel free to contact LJPc hosting support.
Frequently asked questions
Does DNSSEC encrypt my DNS traffic?
No. DNSSEC proves that DNS answers are genuine and unchanged, but it does not encrypt the traffic. If you also want to encrypt your DNS lookups, you can use DNS over HTTPS (DoH) or DNS over TLS (DoT). That is separate from DNSSEC and works well alongside it.
What is the difference between a DNSKEY record and a DS record?
The DNSKEY record holds the public key of your own zone. The DS record lives in the parent zone at the registry and is a hash of that key. The DS record links your domain to the chain of trust, so the layer above can trust your key.
Do I still need DNSSEC if I already use HTTPS?
Yes. HTTPS secures the connection to your server once the correct address has been found. DNSSEC secures the lookup itself, that is, the route to that address. They protect different steps and complement each other.
What happens if DNSSEC is set up incorrectly?
Validating resolvers will reject the answers for your domain, and visitors will receive a SERVFAIL error. Your website and email can become unreachable as a result. That is why you should always check the chain after switching it on.
Do I need to switch off DNSSEC before I transfer my domain?
Yes. Remove the DS record at the registrar first, wait for the old value to expire (the TTL), and only then switch off signing. If you do it the other way around, validation errors occur and your domain becomes unreachable.
Does .nl support DNSSEC?
Yes. SIDN, the operator of the .nl domain, supports DNSSEC, and more than half of all .nl domains are now signed. Most other top-level domains support DNSSEC as well.