What is DNSSEC?
Domain Name Security Extensions (DNSSEC) is an advanced DNS feature that adds an extra layer of security to your domains by attaching digital signature (DS) records to their DNS information. Upgrade to Premium DNS and you can enable DNSSEC in your account. If you're using self-managed DNSSEC, you can manually add a DS record in your account.
Select a question to see its answer:
- What is DNSSEC?
- Why does my website no longer resolve after I enabled DNSSEC?
- How do I enable DNSSEC and sign my zone?
- How do I know if the URL I've requested is DNSSEC-aware?
- Since DNSSEC makes the Internet more secure, why doesn't everyone use it?
- Is there any reason I shouldn't use DNSSEC?
What is DNSSEC?
Domain Name System Security Extensions (DNSSEC) add digital signatures to a domain name's DNS (Domain Name System) to determine the authenticity of the source domain name. It's designed to protect Internet users from forged DNS data, such as a misleading or malicious address instead of the legitimate address that was requested.
When DNSSEC is enabled, DNS lookups use a digital signature to verify that the source of your site's DNS is valid. This helps prevent certain types of attacks; if the digital signature does not match, browsers will not display the site.
Why does my website no longer resolve after I enabled DNSSEC?
The digital signature you store in a DS (Delegation of Signing) record must match the digital signature that your domain's nameservers produce. If it doesn't, the domain can't resolve to your website. Carefully review the DS record information you entered against the zone record stored on the nameserver and make sure they match.
How do I enable DNSSEC and sign my zone?
GoDaddy offers a fully-managed option for DNSSEC through our Premium DNS. If your domain is using GoDaddy nameservers, you can enable DNSSEC on your domains and we'll take care of the zone signing process on your behalf.
If your domain is registered with GoDaddy but isn't using GoDaddy nameservers, you'll need to set up self-managed DNSSEC through your DNS provider. You'll need to digitally create private and public keys and generate a Declaration of Signing record during the domain signing process. The requirements and restrictions may vary based on your domain's registry and your DNS provider. Reach out to your DNS provider for more information, or switch to GoDaddy nameservers and Premium DNS to enable fully-managed DNSSEC through us.
How do I know if the URL I've requested is DNSSEC-aware?
If there's a verification problem with a DNSSEC-aware URL, you receive a message indicating that the site does not exist.
Unfortunately, browsers aren't currently set up to identify DNSSEC. They don't give you visual feedback for DNSSEC-secured sites like they do with the padlock icon when a site is secured by an SSL.
Since DNSSEC makes the Internet more secure, why doesn't everyone use it?
Implementing DNSSEC across the Internet is a big effort. Implementation requires effort, consensus and expenses (often significant) world-wide. Implementation is moving steadily forward, one domain name extension and its registry at a time. As each extension becomes DNSSEC-aware, we'll be there to support the effort for domain names registered through us.
Is there any reason I shouldn't use DNSSEC?
While there is no absolute reason a domain shouldn't use DNSSEC, there are some things that might make it less desirable . DNSSEC is more information intensive, which can reduce site performance. It also makes DNS more fragile and can slightly increase the chance of failure.
But for those who have valuable data to protect, the potential risks are minimal and enabling DNSSEC can be a valuable decision. If you're not a regular target of malicious activity, don't collect sensitive data and aren't in a high-profile position (i.e., a political figure), you may want to forego DNSSEC.
- Upgrade to Premium DNS and enable DNSSEC to take advantage of our fully managed DNSSEC services.
- For self-managed DNSSEC, add a new DS record to your domain.