Glossary

What Is DNSSEC?

DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records to verify their authenticity. It prevents attackers from tampering with DNS responses, protecting against cache poisoning and man-in-the-middle attacks.

Why It Matters

Standard DNS has no authentication — when your browser receives a DNS response saying “example.com is at 93.184.216.34,” it trusts that answer blindly. An attacker who can tamper with DNS responses could redirect visitors to a fake server.

DNSSEC solves this by adding digital signatures to DNS records. Your browser (or resolver) can verify that the DNS response is authentic and hasn’t been tampered with. A complementary approach is DNS-over-HTTPS, which encrypts the DNS query itself to prevent eavesdropping.

How It Works

  1. The domain owner signs their DNS records with a private key
  2. The public key is published as a DNSKEY record
  3. Each DNS response includes cryptographic signatures (RRSIG records)
  4. Resolvers validate the signatures against the public key chain
  5. If validation fails, the response is rejected

DNSSEC and Domain Forwarding

DNSSEC protects the DNS layer — it ensures that when someone queries your domain’s A record, they get the real IP address (pointing to Domain Forward), not a spoofed one.

The forwarding itself (HTTPS, 301 redirects) is protected by SSL/TLS. DNSSEC and HTTPS work together:

LayerProtection
DNS queryDNSSEC — ensures authentic DNS response
ConnectionSSL/TLS — encrypts browser ↔ server communication
Redirect301 with Location header — sends browser to destination

Considerations

  • Enable DNSSEC at your registrar if they support it
  • Don’t break DNSSEC when changing DNS records — some registrars require re-signing after record changes
  • DNS propagation takes longer with DNSSEC because there are more records to propagate

Related Terms

Related Features

Frequently
asked questions

DNSSEC works at the DNS level, before the redirect occurs. If DNSSEC is properly configured on your domain, it validates that the A record pointing to Domain Forward's servers is authentic. This adds an extra layer of trust.

Still Confused? Try It Free.

Set up your first domain forward in under 5 minutes. Free plan includes 5 domains.