Plain DNS has no way to prove that an answer is genuine, which is what makes cache-poisoning and DNS spoofing attacks possible. DNSSEC (DNS Security Extensions) fixes this by cryptographically signing your zone. Validating resolvers follow a chain of trust from the root down to your domain and reject any answer that has been tampered with.
Step 1 — Check Whether Your Providers Support DNSSEC
DNSSEC involves two parties: your DNS host (which signs the zone) and your registrar (which publishes the DS record at the TLD). Both must support it. Most managed DNS providers — Cloudflare, Route 53, Google Cloud DNS, DNSimple — offer one-click DNSSEC, which is by far the easiest path.
Step 2 — Enable Signing at Your DNS Host
With one-click DNSSEC, the provider generates the keys and signs the zone for you, then shows you a DS record (or the DNSKEY details) to hand to your registrar. For example, in Cloudflare it's DNS → Settings → Enable DNSSEC, which prints something like:
DS Record:
Key Tag: 2371
Algorithm: 13 (ECDSA Curve P-256 with SHA-256)
Digest Type: 2 (SHA-256)
Digest: 2BB183AF5F22588179A53B0A98631FAD1A292118Step 3 — Publish the DS Record at Your Registrar
Log in to the registrar where the domain is registered and find the DNSSEC section (often under domain settings). Enter the DS record values exactly as your DNS host provided them:
| Field | Example |
|---|---|
| Key Tag | 2371 |
| Algorithm | 13 (ECDSA P-256 SHA-256) |
| Digest Type | 2 (SHA-256) |
| Digest | 2BB183AF…292118 |
Manual Signing (self-hosted BIND)
If you run your own authoritative BIND server, enable inline signing:
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
key-directory "/etc/bind/keys";
auto-dnssec maintain;
inline-signing yes;
};# Generate a Key Signing Key (KSK) and Zone Signing Key (ZSK)
dnssec-keygen -a ECDSAP256SHA256 -f KSK -n ZONE example.com
dnssec-keygen -a ECDSAP256SHA256 -n ZONE example.com
sudo rndc reload example.com
# Emit the DS record to give to your registrar
dnssec-dsfromkey /etc/bind/keys/Kexample.com.+013+02371.keyStep 4 — Verify the Chain of Trust
Confirm the zone is signed and the DS record is published in the parent:
# DNSKEY should be present and the answer AD (Authenticated Data) flag set
dig DNSKEY example.com +dnssec +short
# DS record at the parent (TLD)
dig DS example.com +short
# A full validation trace from the root
dig example.com +dnssec +traceThe easiest check is the ShowDNS DNSSEC Validator, and a full Domain Health Report will flag DNSSEC status alongside the rest of your DNS configuration. Allow up to a day for the parent DS record to propagate.