Securing DNS with DNSSEC records
DNSSEC adds cryptographic signatures to DNS so resolvers can verify that answers are authentic and unmodified. It does this with a small family of resource record types that hold keys, signatures and authenticated denial-of-existence proofs. This reference explains each record’s role in signing a zone and in the chain of trust.
How it works
A signed zone publishes its public keys as DNSKEY records and a signature
(RRSIG) over every record set. The parent zone vouches for the child by
publishing a DS record — a hash of the child’s Key Signing Key:
example.com. DNSKEY 257 3 13 ( ... ) ; KSK — signs the DNSKEY set
example.com. DNSKEY 256 3 13 ( ... ) ; ZSK — signs everything else
example.com. RRSIG A 13 2 3600 ( ... ); signature over the A RRset
com. DS 12345 13 2 ( hash ); parent points at child KSK
A validating resolver starts at the root trust anchor and walks down: each DS
must match the child’s DNSKEY, and each RRSIG must verify against the
corresponding key. For names that do not exist, NSEC or NSEC3 provides a
signed proof of non-existence.
The record types explained
DNSKEY holds a zone’s public key. The flags field distinguishes two roles: flag value 257 marks a Key Signing Key (KSK), which signs only the DNSKEY record set and is the key the parent’s DS points to; flag value 256 marks a Zone Signing Key (ZSK), which signs all other record sets. Splitting the roles means you can roll the ZSK frequently without re-coordinating with the parent registry.
RRSIG is a signature over one record set (RRset) — for example, all A records at the same name. It names the signing key’s key tag, the algorithm, the original TTL, and validity dates. A resolver verifies the signature against the matching DNSKEY before trusting the RRset.
DS (Delegation Signer) lives in the parent zone and contains a hash of the child’s KSK. The com. zone holds a DS pointing to example.com.’s KSK; . (root) holds a DS for com. The chain of DS records forms the trust path from the root trust anchor down to any signed zone.
NSEC (Next Secure) proves a name does not exist by listing the next name in canonical order and the record types that do exist at the current name. A resolver seeing no A record for ghost.example.com can be shown a signed NSEC from foo.example.com. to zoo.example.com. proving nothing between them exists. The downside is zone walking: an adversary can enumerate all names by following NSEC chains.
NSEC3 replaces the plaintext names with hashed values, preventing zone walking while still providing authenticated denial. An NSEC3PARAM record at the zone apex records the hash algorithm, iteration count, and salt so that all NSEC3 records in the zone use consistent parameters.
CDS and CDNSKEY allow the child zone to signal a desired DS update to the parent without out-of-band communication. Defined in RFC 7344 and RFC 8078, they let domain registrars and DNS hosting providers automate key rollovers by reading these child-published records.
Common operational problems
| Symptom | Likely cause |
|---|---|
| SERVFAIL from resolvers | Expired RRSIG — signatures have a validity period |
| DS mismatch | KSK was rolled without updating DS at the parent |
| Legitimate queries failing | NSEC3 or NSEC chain broken after adding a new name |
| Zone walking concerns | Using NSEC instead of NSEC3 on a zone you want private |
Key operational rules: roll the ZSK often; roll the KSK rarely (every 1–2 years, because it requires a parent DS update); monitor RRSIG expiry dates and automate re-signing.