DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, protecting against DNS Cache Poisoning and DNS Hijacking attacks.
How DNSSEC Works
- The zone is signed with ZSK (Zone Signing Key) and KSK (Key Signing Key)
- DS record is published in the parent zone (.com, .ua)
- DNSSEC-aware resolvers verify the signature on every query
- If signature is invalid — SERVFAIL, request rejected
Verify DNSSEC
dig example.com DNSKEY +dnssec
# Or use dnsviz.net for a visual validation map⚠️ DNSSEC and DNS changes: When changing DNS providers, disable DNSSEC first, then change NS servers, then re-enable DNSSEC. Wrong order causes complete domain outage.