Audit your domain

DNSSEC Disabled

Prevent DNS hijacking with cryptographic signatures

Back to DNS & Domain

What we check

We verify DNSSEC is properly configured and active

We check that DNSSEC (DNS Security Extensions) is properly configured and active on your domain. DNSSEC adds cryptographic signatures to DNS records, allowing resolvers to verify that DNS responses are authentic and haven't been tampered with by attackers.

Security Impact

Why DNSSEC is critical for domain security

DNS hijacking redirects your traffic

Without DNSSEC, attackers can forge DNS responses to redirect your visitors to malicious sites. Users think they're on your site but are actually on an attacker-controlled server.

Cache poisoning attacks

Attackers can poison DNS caches at ISPs and other resolvers, affecting thousands of users. DNSSEC prevents these attacks by cryptographically verifying DNS responses.

Man-in-the-middle attacks

DNS hijacking enables man-in-the-middle attacks where attackers intercept all traffic between users and your site, stealing credentials and sensitive data.

Invisible to victims

DNS hijacking is invisible to end users. They see your domain name in the browser but are silently redirected to attacker-controlled servers.

Implementation

How to enable DNSSEC

With Httpeace

Httpeace automatically checks if DNSSEC is enabled and properly configured:

  • Add your domain to Httpeace
  • We check for DNSSEC signatures daily
  • Get instant alerts if DNSSEC becomes disabled or misconfigured
  • See DNSSEC setup instructions specific to your DNS provider

Without Httpeace

Manual DNSSEC setup and monitoring requires coordinating between DNS provider and registrar:

# Check if DNSSEC is enabled
dig +dnssec yourdomain.com

# Look for RRSIG records
dig yourdomain.com +dnssec | grep RRSIG

# Query DS records at parent zone
dig yourdomain.com DS +trace

# Validate DNSSEC chain
dig yourdomain.com +dnssec +multi

# Use online validators
# Visit: https://dnssec-debugger.verisignlabs.com/yourdomain.com
# Visit: https://dnsviz.net/d/yourdomain.com/dnssec/

You'll need to:

  • Enable DNSSEC at your DNS provider (Cloudflare, Route 53, Google Cloud DNS)
  • DNS provider generates DNSSEC keys and signs your zones
  • Extract DS (Delegation Signer) records from your DNS provider
  • Copy DS record values: Key Tag, Algorithm, Digest Type, Digest
  • Log in to your domain registrar (different from DNS provider)
  • Find DNSSEC settings (often hidden in advanced sections)
  • Add DS records to your registrar precisely (no typos allowed)
  • Wait 24-48 hours for DNS propagation
  • Test DNSSEC with dig +dnssec and online validators
  • Debug failures: wrong DS records, mismatched keys, timing issues
  • Handle DNSSEC key rotation (some providers do this automatically)
  • Monitor daily to ensure DNSSEC stays enabled
  • Set up alerts if DNSSEC breaks (causing all DNS queries to fail)
  • Have rollback plan if DNSSEC breaks DNS resolution
  • Understand that DNSSEC errors can make your entire domain unreachable

DNSSEC configuration is complex and requires coordination between two different service providers. Mistakes can make your domain completely unreachable. Many companies avoid DNSSEC due to this complexity.

FAQ

Frequently asked questions

What is DNSSEC?

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records. When a resolver queries your domain, it can verify the response is authentic and hasn't been tampered with. This prevents DNS hijacking and cache poisoning attacks.

Will DNSSEC break my site?

DNSSEC should not break your site if configured correctly. However, misconfigurations can prevent DNS resolution. Always test DNSSEC in a staging environment first, and ensure you have the correct DS records at your registrar before enabling.

Why do I need both DNS provider and registrar configuration?

Your DNS provider signs your DNS records and generates DS records. Your registrar publishes those DS records in the parent zone. Both steps are required to establish the chain of trust that DNSSEC relies on.

How often does Httpeace check DNSSEC status?

We check DNSSEC status daily by querying your domain's DNS records for DNSSEC signatures. We alert you if DNSSEC becomes disabled, misconfigured, or if signatures expire.

Do I need DNSSEC if I use HTTPS?

Yes! HTTPS protects data in transit, but DNS requests happen before HTTPS connections are established. Without DNSSEC, attackers can hijack DNS to redirect users to fake sites with valid HTTPS certificates. DNSSEC and HTTPS protect different parts of the connection.

Related checks

Other checks in this category

Domain Expiry

Never lose your domain to expiration with automated monitoring.

WHOIS Privacy

Protect personal information from public exposure.

View all DNS & Domain checks

Peace of mind for your domains.

Start monitoring today and prevent outages, hacks, and costly mistakes.

Audit your domain — it's freeTalk to us