Home Posts About Curriculum Vitae
- CATALOG -
you need DNSSEC
label devops   DNS   schedule 3 min 20 s.

This is my first real post on the page, and one that despite what I wrote in my introduction, is technical. It is also an article that I wrote almost a year ago, originally on LinkedIn.

the problem

We live in a world that is ever more dependent on the Internet. Yet, even today, most sites you query send you their address without any protection against DNS spoofing.

DNS spoofing enables bad actors to hijack your traffic, lead your customers to malicious sites, and steal their data.

Could you imagine if you asked Bob for his address, but then his evil twin, who looks just like him, gave you the address to somewhere you most definitely shouldn’t go? Wouldn’t be great, would it? But surely, there are ways to protect ourselves against this.

the solution

Well, I’m not sure what you can do about Bob and his evil twin, but we have made a conscious effort to secure the Internet as much as possible. The Domain Name System (DNS) is inherently one of the most important resources we rely on when using the World Wide Web. The most effective way to safeguard DNS queries is by implementing DNSSEC, a technology that focuses on signing the DNS records sent out to clients, thus verifying their integrity.

is it worth the hassle?

DNS has long been a source of frustration for system administrators worldwide. Obviously, complicating it even more may sound insane. Every new service built on top of DNS creates another potential point of failure, as most of us have probably experienced.

The fact is, DNS is still the best solution we have for name resolution (let me know if there’s any other technology I’m missing), so all we can possibly do is ensure we make the best of it. That’s where technologies like DNSSEC come in.

Deploying DNSSEC at a large scale is no easy feat—the larger and more numerous your zones, the more complicated it becomes. But we must ask ourselves if the security of our visitors/customers is worth the effort. In most cases, it absolutely is.

how DNSSEC works

(This is the part you can skip if you don’t want to read technical details.)

DNSSEC enables us to verify whether a DNS response truly came from the intended server by setting up a chain of trust. Each parent domain must support DNSSEC for child domains to adopt the technology. Thankfully, the root zone and most large providers and TLDs already do.

the keys and signatures

DNSSEC revolves around two keys:

  • zone-signing key (ZSK):

    • Signs every single DNS record in your zone, adding signatures in special RRSIG records.
    • The private part is used for signing, while the public part is uploaded as a DNSKEY record, allowing resolvers to verify signatures.
    • If a ZSK gets compromised, that’s where the KSK becomes critical.

  • key-signing key (KSK):

    • Signs the ZSK and itself, creating additional RRSIGs.
    • The public part is uploaded as a DNSKEY record for verification by resolvers.

establishing the chain of trust

The KSK is self-signed, which doesn’t inherently establish trust. To solve this, Delegation Signer (DS) records verify the KSK, uploaded to the parent zone. This verification continues up the chain to the root zone, establishing a secure chain of trust.

In our Bob analogy, this is like verifying Bob’s identity through his mother, and then her mother, and so forth, until you reach a root of absolute trust. In DNS, that root zone’s verification keys come pre-installed in your browser.

so, do you really need DNSSEC?

as a domain owner

It depends on your use case. If your registrar lets you enable DNSSEC with just a click—please do. The worst case scenario: resolvers simply ignore the DNSSEC signatures.

as a registrar

If you’re a domain registrar considering DNSSEC implementation, I strongly recommend doing so. It can be complex—managing keys, tracking expirations, resigning zones, and checking TLD compatibility—but the benefits outweigh the challenges.

Ultimately, as service providers, we must prioritize customer security. By adopting DNSSEC, you help create a safer, more trustworthy digital environment—not only protecting your interests but also contributing to overall internet security.

Thanks so much for stopping by and reading! I hope you found this helpful and maybe even a little inspiring. If you have any questions or just want to chat about DNSSEC (or anything tech), feel free to reach out. Wishing you smooth and secure browsing!

Originally published on LinkedIn.

Last modified on 2025-04-21

Ákos Lukács
Home Posts About Curriculum Vitae
Hugo Theme Diary by Rise
Ported from Makito's Journal.

© 2026 Ákos Lukács
- CATALOG -