Skip to content
Palisai
All articles
Security1 February 20263 min read

DNSSEC explained: Why signing DNS is critical in 2026

By Jens Arnfelt

DNS was invented in the 1980s — a time when the internet was small and trusting. The system was designed to be fast and robust, but not to prove that an answer actually comes from the right source. That gap is still with us today, and it is exactly the problem DNSSEC solves.

The problem: DNS without signing

When your computer looks up a domain, it generally trusts the first sensible answer it receives. That opens the door to cache poisoning and DNS spoofing, where an attacker tricks a resolver into storing a wrong answer — for example, a wrong IP address for your bank or your login. The user sees the correct domain name in the address bar but is sent to the wrong place.

The classic example is the 2008 Kaminsky attack, which showed how practical cache poisoning really was. The threat is not theoretical.

What is DNSSEC?

DNSSEC (DNS Security Extensions) adds digital signatures to DNS. Each zone signs its records with a private key, and a resolver can verify the signature with the matching public key. That provides two guarantees:

  • Integrity — the answer has not been altered in transit.
  • Origin — the answer comes from the zone it claims to.

Trust is built as a chain from the root zone (.) down through the top-level domain (e.g. .dk) to your own domain. The key material lives in records such as DNSKEY and RRSIG, and the link between one level and the next is secured by a DS record at your registrar. If a resolver validates the chain and finds a break, it rejects the answer rather than passing the user on to a possible forgery.

What DNSSEC does not do

It is just as important to understand what DNSSEC is not:

  • DNSSEC does not encrypt your lookups. It protects against forgery, not eavesdropping. To hide the lookup itself, look at DNS over HTTPS (DoH) or DNS over TLS (DoT).
  • DNSSEC does not make your website secure. It secures the path to the right server — not what happens after that.
  • DNSSEC does not remove the need for SPF, DKIM and DMARC on the email side.

In other words, DNSSEC is one layer in a defence in depth — an important one, but not the only one.

Should you enable DNSSEC?

For most domains: yes. The benefits are real and support is good among Danish registrars and providers. Two things to watch:

  • Operations. DNSSEC requires keys to stay valid and key rollovers to be handled correctly. An expired signature can make your domain unreachable for validating resolvers. Many providers automate this today.
  • Registrar support. Your registrar must be able to publish a DS record to the top-level domain. Most can, but it is worth checking.

Check your domain

Want to know whether your domain is already signed? Run a free DNS security check and see the status of DNSSEC and the rest of your name-server setup right away.