DNSSEC Checker

DNSSEC (Domain Name System Security Extensions) addresses a fundamental vulnerability in DNS: the original protocol from 1983 included no way to verify that DNS responses were authentic. This made DNS vulnerable to spoofing attacks where malicious actors could redirect users to fake websites.

DNSSEC adds cryptographic signatures to DNS records. When a user's DNS resolver queries for your domain, it can verify the response is authentic and unmodified by checking these signatures against public keys published in DNS. This "chain of trust" extends from the root DNS servers all the way to your domain.

DNSSEC establishes trust through a hierarchical chain from the DNS root to your domain. Here are the key components:

• Zone Signing Key (ZSK): Signs individual DNS records (A, AAAA, MX, etc.). Rotated frequently (every few months).
• Key Signing Key (KSK): Signs the ZSK. Rotated less frequently (yearly or longer). Hash published as DS record.
• DNSKEY Records: Contain the public portions of ZSK and KSK, published in your zone.
• DS Records: Hash of your KSK, published in the parent zone (.com, .org, etc.) to establish trust link.
• RRSIG Records: Cryptographic signatures for each record set, created with the ZSK.

When a validating resolver queries your domain, it verifies the chain: root zone → TLD zone (.com) → your zone, checking that each level's keys are vouched for by the level above.

Without DNSSEC, your domain is vulnerable to serious attacks:

• DNS Spoofing: Attackers intercept DNS queries and return false IP addresses, redirecting users to malicious servers.
• Cache Poisoning: Malicious records are injected into DNS resolver caches, affecting all users of that resolver.
• Man-in-the-Middle: Attackers position themselves between users and legitimate servers, intercepting all traffic.
• BGP Hijacking Amplification: Combined with BGP attacks, DNS spoofing can redirect large portions of internet traffic.

Real-world attacks have targeted banks, cryptocurrency exchanges, and government sites. The 2018 DNS hijacking campaign against Brazilian banks affected millions of users. DNSSEC would have prevented these attacks.

DNSSEC status can affect domain value and buyer requirements:

• Enterprise Requirements: Large corporate buyers increasingly require DNSSEC capability. Domains at registrars without DNSSEC support may be less attractive.
• Premium Positioning: DNSSEC-enabled domains signal professional management and security awareness.
• Financial Sector: Banks and fintech companies often mandate DNSSEC for acquired domains.
• Government Contracts: Many government agencies require DNSSEC for contractor domains.