What Is DNSSEC?
DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records to verify their authenticity. It prevents attackers from tampering with DNS responses, protecting against cache poisoning and man-in-the-middle attacks.
Why It Matters
Standard DNS has no authentication — when your browser receives a DNS response saying “example.com is at 93.184.216.34,” it trusts that answer blindly. An attacker who can tamper with DNS responses could redirect visitors to a fake server.
DNSSEC solves this by adding digital signatures to DNS records. Your browser (or resolver) can verify that the DNS response is authentic and hasn’t been tampered with. A complementary approach is DNS-over-HTTPS, which encrypts the DNS query itself to prevent eavesdropping.
How It Works
- The domain owner signs their DNS records with a private key
- The public key is published as a DNSKEY record
- Each DNS response includes cryptographic signatures (RRSIG records)
- Resolvers validate the signatures against the public key chain
- If validation fails, the response is rejected
DNSSEC and Domain Forwarding
DNSSEC protects the DNS layer — it ensures that when someone queries your domain’s A record, they get the real IP address (pointing to Domain Forward), not a spoofed one.
The forwarding itself (HTTPS, 301 redirects) is protected by SSL/TLS. DNSSEC and HTTPS work together:
| Layer | Protection |
|---|---|
| DNS query | DNSSEC — ensures authentic DNS response |
| Connection | SSL/TLS — encrypts browser ↔ server communication |
| Redirect | 301 with Location header — sends browser to destination |
Considerations
- Enable DNSSEC at your registrar if they support it
- Don’t break DNSSEC when changing DNS records — some registrars require re-signing after record changes
- DNS propagation takes longer with DNSSEC because there are more records to propagate
Related Terms
Related Features
Frequently
asked questions
DNSSEC works at the DNS level, before the redirect occurs. If DNSSEC is properly configured on your domain, it validates that the A record pointing to Domain Forward's servers is authentic. This adds an extra layer of trust.
If your registrar supports it, yes. DNSSEC adds security without affecting performance. The main risk is misconfiguration — if DNSSEC signatures expire or don't match, your domain becomes unreachable.
No. DNSSEC secures the DNS lookup (making sure you're connecting to the right server). HTTPS (SSL/TLS) secures the connection itself (encrypting data between browser and server). They protect different parts of the chain.
Still Confused? Try It Free.
Set up your first domain forward in under 5 minutes. Free plan includes 5 domains.