Fast Intro

DNSSEC uses digital signature to verify the authenticity and integrity of DNS records. In essence, it sets up a non-spoofable chain of trust right from the root zone down to the authoritative nameserver and further to modern caching resolvers (e.g., BIND, Unbound etc.). Of course, there’s more, on it and some more.


There are many reasons to turn on DNSSEC, some of which some of them are outright detrimental to businesses (loss of revenue for instance).

It may surprise you to find a number of household domains do not use DNSSEC.

In general these are some reasons to use DNSSEC:

It goes without saying that DNSSEC is not a panacea :pill:

Turn the secure bits on

To have DNSSEC turned on for a domain, you need three parties working in tandem with each other :revolving_hearts:

  1. The Domain Name Registrar (e.g., Namecheap, Godaddy, tucows etc.) of the domain
  2. The Authoritative Name Server (e.g., BYO BIND/NSD/PDNS, Route53, Vultr, NS1 etc.) of the domain
  3. The “abstracted” Root Name Servers (I say “abstracted” as it will appear almost invisible to us :boom:)

For illustrative purpose, I will use my domain

My personal domain is registered using Namecheap and the authoritative name server is at Vultr.

So, to setup DNSSEC for my domain, I need to generate a fresh copy of DS Records (Delegation Signer) from Vultr. Of particular use are:

Vultr by default generates three DS records, copy them to Namecheap’s DNSSEC console.

Handy tools

Some handy tools the internets has to offer :100:


Someone on the internet said:

DNSSEC is a tool, not a religion. Please try to understand how the tool works before criticizing it.

And I agree. DNSSEC is a good thing - let’s do more of it; not less.

I leave you with Dr. Casey Deccio’s Hello Summer Break :sound:. Dr. Casey is the original author of DNSViz :beers:

1Is BGP Safe Yet.