DNSSEC (RFC 4033-4035) adds cryptographic signatures to DNS responses, protecting the SPF, DKIM, DMARC, MTA-STS and TLSA records that underpin email security from being forged or tampered with in transit. This article explains DNSSEC, why it matters for email, how it works, and how UK businesses deploy it.
DNSSEC is a set of extensions to DNS that add cryptographic authentication to DNS responses. A domain owner signs zone data with private keys; resolvers that validate DNSSEC verify the signatures against public keys published in DNS and chained upward through DS records to a trust anchor at the DNS root.
Without DNSSEC, any attacker positioned between a resolver and authoritative DNS can forge responses — redirect traffic, spoof email authentication records, substitute certificates. DNSSEC makes such forgery detectable: a tampered response fails signature verification, and the resolver either returns an error or the unsigned original response, depending on configuration.
Email security depends on DNS. SPF, DKIM, DMARC, MTA-STS TXT records, TLSA records, MX records — all published in DNS, all queried by receiving mail servers during delivery.
A DNS attack can:
p=none.DNSSEC prevents all of these. Signed records cannot be silently swapped — a forged response fails validation.
DANE specifically requires DNSSEC — TLSA records are meaningless without signed zones. MTA-STS works without DNSSEC but benefits from it.
A DNSSEC-signed zone contains:
A resolver querying a DNSSEC-signed zone receives both the data and the RRSIG. The resolver verifies the RRSIG against the DNSKEY. The DNSKEY itself is authenticated by a DS record at the parent zone, recursively up to the root, where a well-known trust anchor terminates the chain.
For firm.co.uk, the chain is: root → uk → co.uk → firm.co.uk. Each level signs the next.
| Algorithm ID | Name | Status |
|---|---|---|
| 5 | RSA/SHA-1 | Deprecated |
| 7 | RSASHA1-NSEC3-SHA1 | Deprecated |
| 8 | RSASHA256 | Widely supported; current standard |
| 10 | RSASHA512 | Available but rarely used |
| 13 | ECDSA P-256 with SHA-256 | Preferred for new deployments |
| 14 | ECDSA P-384 with SHA-384 | Supported; less common |
| 15 | Ed25519 | Emerging; limited parent-zone support |
| 16 | Ed448 | Emerging |
Algorithm 13 (ECDSA P-256) is the modern default — short keys, compact signatures, universally supported by resolvers. Algorithm 8 (RSASHA256) is the common legacy choice, still fine for operational deployments.
epost.plus uses Algorithm 13 for its DNSSEC signing.
Two key types are standard:
Splitting roles lets you rotate ZSKs frequently without touching the parent-registered DS record; only KSK rotations require DS updates at the registrar.
The Delegation Signer (DS) record is published at the parent zone. For firm.co.uk, the co.uk zone (managed by Nominet) contains a DS record pointing at firm.co.uk's KSK.
Example:
firm.co.uk. IN DS 12345 13 2 abcdef...Fields: key tag, algorithm, digest type, digest value.
The DS record is what connects your DNSSEC-signed zone to the global chain of trust. Without a matching DS at the parent, resolvers cannot verify your zone's signatures even if they are technically correct.
Modern UK DNS providers support DNSSEC with minimal configuration:
DNS page → enable DNSSEC → Cloudflare generates keys and displays the DS record. Copy DS to your registrar. Done.
Enable DNSSEC at the hosted zone level. AWS generates the KSK and ZSK, signs the zone, and provides the DS record to publish at your registrar.
Enable DNSSEC in the domain's DNSSEC settings. Gandi handles keys; DS is automatically registered if Gandi is also your registrar.
Enable DNSSEC via the Azure portal or CLI. Export DS and register at your parent registrar.
Generate keys with dnssec-keygen, sign zones with dnssec-signzone (or use auto-dnssec). More operational effort; mainly for organisations that already run their own authoritative DNS.
For most UK businesses, enabling DNSSEC through a managed DNS provider is a two-click operation.
.uk registry level).Nominet supports DNSSEC at the UK registry level since 2010. Any .uk domain can have a DS record; the bottleneck is usually the domain's DNS host, not the registry.
Check with dig +dnssec domain. Expected output shows RRSIG records and the AD flag set by validating resolvers. Missing AD flag means validation failed somewhere.
Common deployment gap. DNSSEC is enabled at DNS host but DS is not published at registrar. Your zone is signed but resolvers cannot verify because the parent zone does not have the DS pointer.
The DS record at the registrar points at a specific algorithm/key. If you rotate the KSK to a different algorithm at the DNS host without updating the DS, validation fails.
Planned KSK rotations require coordinated DS update at the registrar. If the timing is off — new KSK active at DNS host but old DS still at registrar — validation fails for the transition window.
Not all resolvers validate DNSSEC. ISPs vary. Test with a known-validating resolver (Cloudflare 1.1.1.1, Google 8.8.8.8) to isolate.
Q: Is DNSSEC required for DMARC?
A: No — DMARC does not require DNSSEC. But DNSSEC makes DMARC records (and SPF, DKIM) much harder to tamper with, which improves overall email security posture.
Q: Does DNSSEC slow down DNS resolution?
A: Marginally — response sizes are larger (RRSIGs add bytes), and validation adds CPU at the resolver. Typical overhead: sub-millisecond at the resolver level, imperceptible in mail delivery.
Q: Can DNSSEC be disabled temporarily?
A: Yes. Remove the DS at the registrar; your zone becomes unvalidated. Resolvers fall back to unsigned DNS. Downside: if anyone relied on DNSSEC (DANE), those systems break until DNSSEC is restored.
Q: What happens if my DNS provider's DNSSEC infrastructure fails?
A: Validating resolvers return SERVFAIL. Your zone becomes effectively unreachable for validating resolvers. Non-validating resolvers still get unsigned responses. Choose a DNS provider with solid DNSSEC operational track record.
Q: Is DNSSEC widely deployed on UK domains?
A: Growing but not universal. Around 35-45% of .uk zones are signed as of 2026. UK government domains lead; private sector varies.
Q: Do UK government domains require DNSSEC?
A: .gov.uk domains are expected by NCSC to be DNSSEC-signed. Most central government departments are compliant.
Q: Can DNSSEC protect against cache poisoning?
A: Yes — that is one of its primary purposes. A cache poisoning attack attempts to inject forged records; DNSSEC validation detects the injection.
Q: Is DNSSEC the same as DoH (DNS over HTTPS)?
A: No — orthogonal. DoH encrypts DNS traffic to a specific resolver. DNSSEC authenticates DNS data regardless of transport. Ideally deploy both.
Q: Can I sign only specific records in my zone, not the whole zone?
A: No — DNSSEC signs zones comprehensively. Enable at zone level; all records become signed.
Q: What is the operational cost of running DNSSEC?
A: With managed DNS providers: effectively zero. With self-hosted DNS: ongoing key rotation and zone re-signing operations; modest but non-trivial.
Q: How often should I rotate DNSSEC keys?
A: ZSK: every 3-12 months. KSK: every 1-2 years. Managed DNS providers handle rotation schedules automatically.
Q: Does DNSSEC help with DDoS attacks on DNS?
A: Indirectly — it helps detect forged responses but does not prevent DDoS volume attacks. Use DNSSEC alongside DDoS protection (Cloudflare, AWS Shield) for robust DNS resilience.
Q: Can DNSSEC break legitimate DNS use cases?
A: Occasionally. Some GeoDNS or split-DNS setups are complex to sign correctly. Managed providers handle this transparently; self-hosted deployments need care.
Q: Is Algorithm 13 really preferred over Algorithm 8?
A: Yes for new deployments. ECDSA P-256 (Algo 13) produces smaller signatures, faster validation, and is universally supported in 2026. Algo 8 (RSA-SHA256) is fine for legacy compatibility but larger and slower.
Q: Does my domain registrar matter for DNSSEC?
A: The registrar must publish the DS record you provide. Most modern UK registrars (Gandi, 123-Reg, Namecheap, Cloudflare Registrar) support this. Older or cheaper registrars may not — check before relying on DNSSEC.
Q: How do I know if my domain is signed correctly?
A: Test at Verisign Labs DNSSEC Debugger, dnsviz.net, or dig +dnssec. A correctly signed domain shows a complete chain from root to your zone.
Q: If I deploy DNSSEC, do I need to update all my other DNS records?
A: No. Signing happens at the zone level; individual records are not modified. You continue managing records normally; the DNS host handles signing.
Q: Is DNSSEC a prerequisite for PCI DSS or similar compliance?
A: Not explicitly required but recognised as strong practice. Some audit frameworks treat DNSSEC as a positive signal in security posture reviews.
Q: Does DNSSEC work with Anycast DNS?
A: Yes. All major Anycast DNS providers (Cloudflare, AWS Route 53, Google Cloud DNS) combine Anycast and DNSSEC seamlessly.
Q: Can DNSSEC be combined with Split-Horizon DNS?
A: Yes but complex. Different views need consistent signing. Managed DNS services support split-horizon; self-hosted requires careful zone design.
Q: Is DNSSEC expected to reach universal UK deployment?
A: Probably yes, over the next 5-10 years. Gradual NCSC guidance and increasing email-security dependencies (DANE) push adoption. Universal deployment remains some years away.
Q: Does DNSSEC affect DNS-based load balancing or geo-DNS?
A: Most managed DNS providers integrate DNSSEC signing with geo-DNS and other dynamic features. Self-hosted complex configurations need care — signing must accommodate the dynamic aspects.
Q: Can I run DNSSEC on a subset of my zones (some signed, some not)?
A: Yes. Different zones are independently signed or not. A portfolio of UK domains can transition to DNSSEC gradually — sign the highest-value ones first.
Q: What is the typical DNSSEC key lifetime at NCSC Mail Check-compliant UK government domains?
A: ZSK: 3-6 months. KSK: 1-2 years. Specific practices vary by department but follow IETF best-current-practice recommendations.
Q: How does DNSSEC interact with a UK business's wildcard DNS records?
A: Wildcards are signed like any other record. The NSEC/NSEC3 records prove the wildcard's existence and scope. Modern DNSSEC providers handle wildcards correctly.
Q: Does Nominet provide DNSSEC to UK domain registrants directly?
A: Nominet operates the .uk registry which supports DNSSEC. Nominet-direct hosting (for domains on Nominet's own nameservers) includes DNSSEC. Most UK domains host DNS elsewhere.
Q: What is the Algorithm 13 key size?
A: ECDSA P-256 uses a 256-bit key. Public key is 64 bytes (smaller than RSA-2048's 256 bytes). Signatures are similarly compact.
Q: If I use Cloudflare for DNS, does their DNSSEC implementation work with any registrar?
A: Yes — Cloudflare generates a DS record that you publish at whatever registrar holds your domain. The registrar must accept DS publication; most do. Cloudflare Registrar automates DS publishing for domains transferred to it.
Q: Can DNSSEC issues affect non-email DNS lookups?
A: Yes — DNSSEC operates at zone level, covering all records (A, AAAA, MX, CNAME, TXT, etc.). A broken DNSSEC deployment affects everything resolved in that zone. Rapid rollback capability (remove DS, revert to unsigned) is essential.
Q: What if my ISP's recursive resolver does not validate DNSSEC?
A: Most major UK ISPs (BT, Sky, Virgin Media) and public resolvers (Cloudflare 1.1.1.1, Google 8.8.8.8, Quad9) validate. Small ISPs and corporate resolvers vary. You publish DNSSEC for those who validate; non-validators see unsigned data.
Q: Is NSEC3 preferable to NSEC for privacy reasons?
A: NSEC3 prevents zone-walking (enumerating all zone contents via signed negative answers). If your zone contains names you would rather not have enumerable, use NSEC3. For fully public zones, either works.
Q: Does DNSSEC help protect against DNS tunnelling or data exfiltration?
A: No — DNSSEC authenticates responses; it does not block misuse of DNS as a data channel. Separate tools (DNS firewalls, behavioural analysis) address tunnelling.
Q: Can I use DNSSEC with a CDN?
A: Yes. CDNs typically run their own DNS infrastructure with DNSSEC support. If you delegate DNS to a CDN-operated nameserver, the CDN handles DNSSEC signing.
Q: How long does the full DNSSEC deployment take from decision to active validation?
A: With a managed DNS provider: hours. Steps are: enable DNSSEC at DNS host, publish DS at registrar, wait for DS propagation (typically minutes to hours). Much faster than most other email security deployments.
Q: What are the consequences of DNSSEC signing key rollover going wrong?
A: If keys are replaced before old signatures expire from resolver caches, validating resolvers may return SERVFAIL for your zone until caches clear. Best practice is to publish new keys for sufficient TTL before active signing with them, and to remove old keys only after TTLs expire.
Q: Does DNSSEC protect against domain hijacking via registrar account compromise?
A: No — DNSSEC assumes the DNS operator is legitimate. An attacker who gains control of your DNS can re-sign the zone with their own keys, and resolvers validate those signatures. Protect the DNS account credentials and the registrar account with MFA.
Q: Are there DNSSEC monitoring services for UK businesses?
A: Yes. Hardenize, DNSViz, and similar offer continuous monitoring of DNSSEC signing health. Alerts on chain breakage, algorithm drift, or expired signatures. Useful for high-sensitivity deployments.
Q: Does NCSC provide specific DNSSEC guidance for UK public sector?
A: Yes. NCSC's "Secure Web Hosting" and related guidance cover DNSSEC alongside other DNS security topics. Central government domains are expected to follow.
Q: Can DNSSEC affect DNS-based outbound authentication (e.g. mutual TLS)?
A: Indirectly. DANE for HTTPS (rare but exists) depends on DNSSEC exactly as DANE for email. Other outbound authentication mechanisms (OAuth, SAML) do not directly depend on DNSSEC but benefit from authenticated DNS.
Q: Is DNSSEC a prerequisite for MTA-STS enforce mode?
A: No. MTA-STS uses HTTPS trust for policy distribution and works on non-DNSSEC zones. DNSSEC is a nice-to-have for MTA-STS (protects the _mta-sts TXT record) but not required.
Q: Do I need to inform my mail recipients when I enable DNSSEC?
A: No. DNSSEC is invisible at the mail layer — recipients see no change. Validating DNS resolvers silently benefit.
Q: Can I check whether a specific UK domain has DNSSEC enabled?
A: Yes. dig +dnssec domain.co.uk DS @1.1.1.1 returns DS records if DNSSEC is enabled at the parent. DNSViz provides a graphical view of the chain.
Q: Is DNSSEC supported for .co.uk specifically?
A: Yes. Nominet supports DNSSEC for all .uk zones including .co.uk, .org.uk, .me.uk, .ltd.uk, .plc.uk, .ac.uk, .gov.uk.
Q: Can DNSSEC signing be hot-swapped between providers?
A: Complex. Moving DNSSEC between DNS providers requires careful coordination of key rollover: publish DS pointing at new provider's KSK, let caches update, then remove old. Managed-provider tools simplify this; self-hosted migrations need planning.
Q: What are the main arguments against deploying DNSSEC?
A: Historically — operational complexity, risk of misconfiguration breaking DNS, limited benefit without DANE. Modern managed DNSSEC removes most of these concerns. In 2026 the argument for deploying is much stronger than the argument against.