What is DNSSEC and how does it work?

This article will explain what DNSSEC is and whether you should enable it on your domain.

What is DNSSEC?

Domain Name System Security Extensions (DNSSEC) is a service that adds a layer of authentication to DNS records by signing them with public keys. This service was introduced to combat the insecure nature of DNS, since scammers may potentially intercept a request to access a website, forge records and redirect users to a malicious page, in what’s commonly known as a ‘man-in-the-middle’ attack.

For more information about DNS records, please read the following article: Domain Name System (DNS) Management Guide

How does DNSSEC work?

When a customer accesses a website, their device will send a request to the host, asking that the DNS translate the website’s domain name (i.e. 123-reg.co.uk) into an IP address that it can understand. However, by default, DNS doesn’t have any way of identifying whether this response is genuine or not.

With DNSSEC, the customer’s browser will check the signing key across the aforementioned channels to ensure they receive authenticated answers. Any forgeries will also be detected and rejected by their browser.

Should I enable DNSSEC?

If your website processes sensitive data for customers, then we recommend enabling DNSSEC for your domain name.

To do this, please get in touch with our Support team and they will be able to assist you.

Please note: the following domain extensions do NOT support DNSSEC:

  • .ag
  • .co.ag
  • .co.lc
  • .com.ag
  • .com.lc
  • .com.sc
  • .com.vc
  • .gg
  • .global
  • .gy
  • .ht
  • .im
  • .it
  • .je
  • .l.lc
  • .lc
  • .me
  • .mn
  • .mu
  • .net.ag
  • .net.lc
  • .net.sc
  • .net.vc
  • .nom.ag
  • .onl
  • .org
  • .org.ag
  • .org.lc
  • .org.sc
  • .org.vc
  • .p.lc
  • .qa
  • .sc
  • .so
  • .tk
  • .vc
  • .vegas