Glossary
DNSSEC
DNSSEC adds cryptographic signatures to DNS records so resolvers can verify answers are authentic and have not been forged or tampered with.
DNSSEC (Domain Name System Security Extensions) adds a layer of cryptographic signatures to dns, letting resolvers verify that an answer genuinely came from the authoritative source and was not altered in transit.
How it works
- Each zone signs its records, producing
RRSIGsignatures. - Public keys are published as
DNSKEYrecords. - A chain of trust runs from the root down to your zone via
DSrecords at the parent.
What it does and does not do
- It does prevent cache poisoning and spoofed answers.
- It does not encrypt DNS — record contents remain public.
Why it matters for hosting
Without DNSSEC, an attacker who poisons a resolver could redirect your domain to a malicious ip-address even if your ssl-tls is perfect. Enabling DNSSEC requires support from both your DNS provider and your registrar (to publish the DS record). Mismatched or stale keys cause hard resolution failures, so key rollovers must be done carefully.
See also
DNS (Domain Name System)
DNS is the internet phone book that translates human-readable domain names like example.com into the IP addresses computers use to connect.
Nameserver
A nameserver is a server that answers DNS queries for a domain, storing its zone records and telling the internet where the domain points.
SSL/TLS
SSL/TLS is the encryption protocol that secures connections between browsers and servers, enabling HTTPS and protecting data in transit.
WHOIS
WHOIS is a query protocol that returns registration details for a domain or IP, such as the registrar, nameservers, and creation date.