DNSSEC (DNS Security Extensions)
DNSSEC adds cryptographic signatures to DNS responses, ensuring they haven't been tampered with and come from the authoritative source.
How DNSSEC Works
The Problem
Standard DNS has no authentication:
- Responses can be forged
- Cache poisoning attacks possible
- Man-in-the-middle DNS attacks
- No way to verify response authenticity
The Solution
DNSSEC adds digital signatures to DNS:
- Zone signing: DNS records are signed with private keys
- Public keys in DNS: Public keys published in DNS
- Chain of trust: Signatures verified up to root
- Validation: Resolvers verify signatures
Root Zone (.)
│ Signed with root key
▼
TLD Zone (.com)
│ Signed with .com key
│ DS record points to parent
▼
Your Zone (example.com)
│ Signed with your key
│ DS record in parent zone
▼
DNS Records
Signed with zone keyDNSSEC Record Types
DNSKEY
Contains the public keys for the zone:
example.com. DNSKEY 256 3 13 (key data...)
example.com. DNSKEY 257 3 13 (key data...)Key types:
- 256 (ZSK): Zone Signing Key - signs records
- 257 (KSK): Key Signing Key - signs DNSKEY records
DS (Delegation Signer)
Links child zone to parent zone:
example.com. DS 12345 13 2 (hash of child's KSK)Located in the parent zone (e.g., .com for example.com)
RRSIG
Signature over a set of records:
example.com. RRSIG A 13 2 300 (signature data...)Every record type has corresponding RRSIG records.
NSEC/NSEC3
Proves non-existence of records:
example.com. NSEC mail.example.com. A MX TXT RRSIG NSECChain of Trust
DNSSEC validation follows the chain:
1. Root Zone
└── Root DNSKEY (trust anchor)
└── Signs .com DS record
2. .com Zone
└── .com DNSKEY (verified by root)
└── Signs example.com DS record
3. example.com Zone
└── example.com DNSKEY (verified by .com)
└── Signs all records in zone
4. DNS Records
└── A, MX, TXT, etc. (verified by zone key)If any link breaks, validation fails.
Why DNSSEC Matters for Email
Protects Email Authentication
DNSSEC secures the DNS records that email security depends on:
- SPF records
- DKIM public keys
- DMARC policies
- MX records
Prevents DNS Attacks
Without DNSSEC, attackers could:
- Forge SPF to authorize malicious senders
- Replace DKIM keys
- Modify DMARC policies
- Redirect MX to malicious servers
Enables DANE
DANE (DNS-based Authentication of Named Entities) requires DNSSEC:
- Pins TLS certificates in DNS
- Provides additional transport security
- Only works with DNSSEC validation
Enabling DNSSEC
Step 1: Check Registrar Support
Your domain registrar must support DNSSEC. Most major registrars do:
- GoDaddy
- Namecheap
- Cloudflare
- Google Domains
- AWS Route 53
Step 2: Enable at DNS Provider
If using a DNS provider (not registrar DNS):
- Enable DNSSEC in DNS provider settings
- Get DS record from DNS provider
- Add DS record at registrar
Step 3: If Using Registrar DNS
Many registrars handle this automatically:
- Find DNSSEC settings in registrar dashboard
- Enable DNSSEC with one click
- Registrar handles key generation and DS record
Step 4: Verify
After enabling:
- Wait for propagation (up to 48 hours)
- Test with DNSSEC analyzers
- Verify chain of trust
Verification
Check DNSSEC Status
Using dig:
dig +dnssec example.com
# Look for 'ad' flag (Authenticated Data)Online tools:
- DNSViz (dnsviz.net)
- Verisign DNSSEC Debugger
- MXToolbox DNSSEC Check
- MailShield DNSSEC validation
Chain Validation
A valid chain shows:
. (root) → .com → example.com
✓ ✓ ✓Common Issues
Broken Chain
Symptoms:
- DNSSEC validation fails
- SERVFAIL responses
Causes:
- Missing DS record at registrar
- Expired signatures
- Key mismatch between provider and registrar
Solution:
- Verify DS record matches current DNSKEY
- Re-sync DS record with registrar
- Check with DNS provider
Expired Signatures
Symptoms:
- Validation fails after working
- RRSIG expiration date passed
Causes:
- DNS provider not re-signing
- Zone not being updated
Solution:
- Contact DNS provider
- Verify zone signing is active
Key Rollover Issues
Symptoms:
- Validation fails during key change
- DS record doesn't match DNSKEY
Causes:
- DS record not updated after key rollover
- Timing issues during rollover
Solution:
- Follow proper key rollover procedures
- Update DS record before removing old key
DNSSEC and Email Providers
Cloudflare
- One-click DNSSEC enable
- Automatic key management
- DS record provided for registrar
AWS Route 53
- Enable DNSSEC signing
- Key management via KMS
- DS record for registrar
Google Cloud DNS
- DNSSEC available
- Managed signing
- DS record export
DANE Integration
With DNSSEC enabled, you can use DANE:
TLSA Records
_25._tcp.mail.example.com. TLSA 3 1 1 (certificate hash)Benefits:
- Pin TLS certificates in DNS
- Additional transport security
- Prevents certificate misissuance attacks
DANE and MX
DANE can secure:
- Connections to your MX servers
- Certificate validation via DNS
- Requires DNSSEC on MX hostnames
Best Practices
Do
✅ Enable DNSSEC at both registrar and DNS provider
✅ Verify chain of trust after enabling
✅ Monitor for signature expiration
✅ Test after any DNS changes
✅ Keep DS record in sync \
Don't
❌ Enable without understanding key management
❌ Ignore validation failures
❌ Forget to update DS after key rollover
❌ Disable without removing DS record first
MailShield DNSSEC Features
MailShield checks:
- DNSSEC Enabled - Is the domain signed?
- Chain Validation - Is the chain intact?
- Signature Status - Are signatures valid?
- Key Information - Algorithm and key details
Security Score Impact
DNSSEC contributes to your MailShield security score:
| Status | Points |
|---|---|
| DNSSEC enabled and valid | 10 |
| DNSSEC not enabled | 0 |
| DNSSEC broken | 0 (with warning) |
Troubleshooting Commands
Check DNSSEC with dig
# Check if DNSSEC is enabled
dig +dnssec example.com
# Check DS record
dig DS example.com
# Check DNSKEY
dig DNSKEY example.com
# Full validation
dig +sigchase +trusted-key=/etc/trusted-key.key example.comOnline Tools
- DNSViz: Visual DNSSEC chain analysis
- Verisign Debugger: Step-by-step validation
- DNSSEC-Tools: Command-line validation suite