DNSSEC
DNSSEC adds cryptographic signatures to DNS so resolvers can validate that responses have not been forged or tampered with. It protects authenticity, not confidentiality.
Security And Advanced Setups
DNSSEC, split DNS, dangling DNS, anycast, GeoDNS, and encrypted resolver protocols.
DS Record
A DS record is part of DNSSEC delegation. It lives in the parent zone and points to the child zone's DNSSEC key material, linking the signed parent and child zones together.
DNSKEY Record
A DNSKEY record publishes DNSSEC public key material for a zone. Validating resolvers use DNSKEY records with RRSIG signatures to check that signed DNS answers are authentic.
The parent zone normally publishes a DS record that points to the child zone DNSKEY, creating the DNSSEC chain of trust from parent to child.
RRSIG Records
RRSIG records are DNSSEC signature records. They contain cryptographic signatures over DNS record sets, allowing validating resolvers to check that signed DNS data has not been altered.
Seeing RRSIG records is a useful sign that a zone is signed, but it is not the same as full DNSSEC validation. A resolver still needs to verify the complete trust chain from the parent DS record to the child DNSKEY records and signatures.
AD Flag
The AD flag means authenticated data. A validating resolver sets this flag when it has successfully validated the DNSSEC signatures for the answer it returns.
This checker asks public validating resolvers whether they return the AD flag. It is a practical validation signal, but results can still be affected by resolver behaviour, temporary DNSSEC changes, or network issues.
Split-Horizon DNS
Split-horizon DNS returns different answers depending on where a query comes from. It is commonly used to give internal users private answers and public users external answers.
Dangling DNS
Dangling DNS happens when a DNS record points to a resource that no longer exists or is no longer controlled by the domain owner. This can cause errors and, in some cases, security risks.
Anycast DNS
Anycast DNS lets multiple DNS servers in different locations share the same IP address. Network routing sends each query to a nearby or preferred location, which can improve speed and resilience if one location has a problem.
GeoDNS
GeoDNS returns different DNS answers based on where the resolver or user appears to be located. It is often used to send visitors to a nearby service region, CDN endpoint, or country-specific infrastructure.
DoH / DNS Over HTTPS
DoH sends DNS queries over HTTPS instead of plain DNS. It can protect DNS queries from being read or modified on the local network, but it also changes which resolver sees the queries and can affect local filtering or troubleshooting.
DoT / DNS Over TLS
DoT sends DNS queries over a TLS-encrypted connection. Like DoH, it protects DNS traffic between the client and resolver, but it uses a dedicated DNS-over-TLS protocol rather than blending DNS traffic into normal HTTPS.