What is DNSSEC?

Generic selectors
Exact matches only
Search in title
Search in content
Filter by Categories
Account Management Help
add photos, video and audio
Add-on features and social media
Advanced campaign settings
All about analytics
All about images
Basic steps
Configure the Web Application Firewall (WAF)
Connect my Calendar and Online Storage to Workspace
contact support
copy files to my site
Create my email address
Customize campaign
Discover domains
discover linux hosting with cPanel
Discover Microsoft 365
Discover Online Storage
Discover Workspace Email
edit content
Email Marketing demo
expand your site with sections and pages
Explore email add-ons
Explore my account
Find server and port settings (IMAP/POP)
fine tune my website
get social
Get started with SSL certificates
Get the most out of Microsoft 365
help my site get found and monitor my metrics
Hosting & Servers
keep my account secure
Keep my email secure
know your privacy rights
Manage your SSL certificate
Managed WordPress
Manual email configuration
Migrate and export my emails
My email account isn’t working (troubleshooting)
nameservers and DNS
online store
parking, forwarding and monetizing
privacy and protection
publish my site
Quick Shopping Cart
Renew my products and services
Set up a campaign
Set up email on my devices
set up my payment methods
Set up my Workspace Email account
start with the basics
Stay productive anywhere with Office apps
Streamline email tasks to help my business
transfer between accounts
transfer between registrars
Troubleshoot email and email setup
Upgrade and renewal options for email
Web & Classic Hosting
Website backups
Website Builder 7
Website Builder version 6
Website Security and Backups
work with databases
work with delegates
working with blogs

Domain Name System Security Extensions (DNSSEC) add digital signatures to a domain name’s DNS (Domain Name System) to determine the authenticity of the source domain name. It’s designed to protect Internet users from forged DNS data, such as a misleading or malicious address instead of the legitimate address that was requested.

When DNSSEC is enabled, DNS lookups use a digital signature to verify that the source of your site’s DNS is valid. This helps prevent certain types of attacks; if the digital signature does not match, browsers will not display the site.

Why does my website no longer resolve after I enabled DNSSEC?

The digital signature you store in a DS (Delegation of Signing) record must match the digital signature that your domain’s nameservers produce. If it doesn’t, the domain can’t resolve to your website. Carefully review the DS record information you entered against the zone record stored on the nameserver and make sure they match.

How do I enable DNSSEC and sign my zone?

When you upgrade to Premium DNS and enable DNSSEC in your account with us, we’ll take care of the zone signing process on your behalf.

You can set up self-managed DNSSEC through your DNS provider. To enable self-managed DNSSEC, you must digitally create private and public keys and generate a Declaration of Signing record during the domain name signing process. The requirements and restrictions may vary based on your domain name’s registry and your DNS provider. Reach out to your DNS provider for more information.

How do I know if the URL I’ve requested is DNSSEC-aware?

If there’s a verification problem with a DNSSEC-aware URL, you receive a message indicating that the site does not exist.

Unfortunately, browsers aren’t currently set up to identify DNSSEC. They don’t give you visual feedback for DNSSEC-secured sites like they do with the padlock icon when a site is secured by an SSL.

Since DNSSEC makes the Internet more secure, why doesn’t everyone use it?

Implementing DNSSEC across the Internet is a big effort. Implementation requires effort, consensus and expenses (often significant) world-wide. Implementation is moving steadily forward, one domain name extension and its registry at a time. As each extension becomes DNSSEC-aware, we’ll be there to support the effort for domain names registered through us.

Is there any reason I shouldn’t use DNSSEC?

While there is no absolute reason a domain shouldn’t use DNSSEC, there are some things that might make it less desirable . DNSSEC is more information intensive, which can reduce site performance. It also makes DNS more fragile and can slightly increase the chance of failure.

But for those who have valuable data to protect, the potential risks are minimal and enabling DNSSEC can be a valuable decision. If you’re not a regular target of malicious activity, don’t collect sensitive data and aren’t in a high-profile position (i.e., a political figure), you may want to forego DNSSEC.

Related step

More info

Changing the currency for the products.

Prices shown in US Dollars. You can convert to your own currency after selecting a product.