DNSSEC
DNSSEC (DNS Security Extensions) is a set of protocol extensions that lets resolvers cryptographically verify that DNS answers haven't been tampered with in transit. It doesn't encrypt DNS — it signs it.
How it works
The zone publishes its public key as a DNSKEY record. Each record in the zone is accompanied by an RRSIG signature. Resolvers fetch the DNSKEY, verify the RRSIG, and reject the answer if the signature doesn't match.
Chain of trust
Verifying the DNSKEY itself is the next problem. The parent zone publishes a hash of the child's DNSKEY as a DS record. Resolvers walk up the tree: child DNSKEY verified by parent DS, parent DNSKEY verified by grandparent DS, all the way up to the root, whose key is hard-coded into resolvers.
Why deployment is uneven
Enabling DNSSEC at your DNS provider isn't enough — you also have to upload the DS record at the registrar (the parent zone). Many people enable DNSSEC at the provider, miss the registrar step, and end up with a broken chain. Resolvers that validate DNSSEC return SERVFAIL in that case, even though the records "exist."
Trade-offs
DNSSEC adds query overhead (more records to fetch), is operationally fragile (a botched key rollover takes a domain offline), and doesn't address the harder problems (eavesdropping is solved by DoH/DoT, not DNSSEC). Adoption is non-universal — in late 2025, around 8% of .com zones were DNSSEC-signed.
Related: DNSKEY lookup · DS lookup.