DNSSEC Not Enabled — Why It Matters and How to Turn It On

Updated May 2026 · DNS · 6 min read

Table of Contents

What DNSSEC actually protects against
Enable DNSSEC at your DNS provider
Common gotchas
Monitor for accidental disablement

DNSSEC (DNS Security Extensions) cryptographically signs your DNS records so resolvers can verify they haven’t been tampered with on the way to your visitors. Without it, attackers in a privileged network position can poison DNS caches and silently redirect your traffic.

What DNSSEC actually protects against

DNS by default is unauthenticated. A man-in-the-middle on a coffee-shop wifi, a compromised ISP resolver, or a poisoned cache can return an attacker’s IP for your domain — and your visitors’ browsers have no way to detect the lie.

DNSSEC adds a chain of cryptographic signatures from the root zone down to your records. Resolvers that validate (every modern public resolver: Cloudflare 1.1.1.1, Google 8.8.8.8, Quad9) refuse to return spoofed records, so your visitors land on your real server even when the path is hostile.

Enable DNSSEC at your DNS provider

Cloudflare: DNS → DNSSEC → Enable. Cloudflare gives you a DS record to publish at your registrar.
Route 53: Enable signing on the hosted zone, then publish the DS at the registrar.
Google Domains / Squarespace Domains: DNS → DNSSEC → Enable. Most managed registrars handle the DS publication automatically when DNS and registrar are in the same account.
Verify the chain with dig DNSKEY yourdomain +dnssec and dnsviz.net. A green chain from root means it’s working.

Common gotchas

Registrar and DNS provider mismatch: if your registrar isn’t the DNS provider, you have to copy the DS record manually — forgetting this leaves DNSSEC half-enabled and broken.
Algorithm mismatch: some old registrars only accept algorithm 8 (RSA/SHA-256) or 13 (ECDSA P-256). Most providers default to one of these.
Forgetting to update DS records during a key rollover — your zone goes “SERVFAIL” for validating resolvers. Cloudflare and Route 53 handle rollovers automatically; bare-metal BIND does not.

Monitor for accidental disablement

A DS record removed at the registrar (or a key rolled without updating DS) makes your domain unreachable for half the internet within a few minutes. GuardHound’s DNSSEC check catches the regression on the next scan.

Run a free scan to find issues like this on your domain

GuardHound checks SSL, DNS, breaches, CVEs, lookalikes, hosting reputation, and more in under 30 seconds.

Start Free Scan →

Frequently Asked Questions

Will enabling DNSSEC break anything?

On a managed DNS provider (Cloudflare, Route 53, Google Cloud DNS), no — they handle keys and rollovers automatically. On self-hosted BIND, you have to manage keys yourself. Test with dnsviz.net before going live.

Do all visitors benefit?

Only those whose recursive resolver validates DNSSEC. The major public resolvers (Cloudflare, Google, Quad9, OpenDNS) all do, plus most modern ISP resolvers. Your protection coverage is roughly 80–90% of internet users today.

How does DNSSEC interact with DNS-over-HTTPS?

They’re complementary. DoH/DoT encrypts the path between client and resolver; DNSSEC authenticates the records the resolver returns. Use both for end-to-end integrity.