Products
Discover
Help Center
Domains

Domains Help

What is DNSSEC?

Domain Name Security Extensions (DNSSEC) is an advanced DNS feature that adds an extra layer of security to your domains by attaching digital signature (DS) records to their DNS information. Upgrade to Premium DNS and you can enable DNSSEC in your account. If you're using self-managed DNSSEC, you can manually add a DS record in your account.

Select a question to see its answer:

What is DNSSEC?

Domain Name System Security Extensions (DNSSEC) add digital signatures to a domain name's DNS (Domain Name System) to determine the authenticity of the source domain name. It's designed to protect Internet users from forged DNS data, such as a misleading or malicious address instead of the legitimate address that was requested.

When DNSSEC is enabled, DNS lookups use a digital signature to verify that the source of your site's DNS is valid. This helps prevent certain types of attacks; if the digital signature does not match, browsers will not display the site.

Back to top

Why does my website no longer resolve after I enabled DNSSEC?

The digital signature you store in a DS (Delegation of Signing) record must match the digital signature that your domain's nameservers produce. If it doesn't, the domain can't resolve to your website. Carefully review the DS record information you entered against the zone record stored on the nameserver and make sure they match.

Back to top

How do I enable DNSSEC and sign my zone?

GoDaddy offers a fully-managed option for DNSSEC through our Premium DNS. If your domain is using GoDaddy nameservers, you can enable DNSSEC on your domains and we'll take care of the zone signing process on your behalf.

If your domain is registered with GoDaddy but isn't using GoDaddy nameservers, you'll need to set up self-managed DNSSEC through your DNS provider. You'll need to digitally create private and public keys and generate a Declaration of Signing record during the domain signing process. The requirements and restrictions may vary based on your domain's registry and your DNS provider. Reach out to your DNS provider for more information, or switch to GoDaddy nameservers and Premium DNS to enable fully-managed DNSSEC through us.

Back to top

How do I know if the URL I've requested is DNSSEC-aware?

If there's a verification problem with a DNSSEC-aware URL, you receive a message indicating that the site does not exist.

Unfortunately, browsers aren't currently set up to identify DNSSEC. They don't give you visual feedback for DNSSEC-secured sites like they do with the padlock icon when a site is secured by an SSL.

Back to top

Since DNSSEC makes the Internet more secure, why doesn't everyone use it?

Implementing DNSSEC across the Internet is a big effort. Implementation requires effort, consensus and expenses (often significant) world-wide. Implementation is moving steadily forward, one domain name extension and its registry at a time. As each extension becomes DNSSEC-aware, we'll be there to support the effort for domain names registered through us.

Back to top

Is there any reason I shouldn't use DNSSEC?

While there is no absolute reason a domain shouldn't use DNSSEC, there are some things that might make it less desirable . DNSSEC is more information intensive, which can reduce site performance. It also makes DNS more fragile and can slightly increase the chance of failure.

But for those who have valuable data to protect, the potential risks are minimal and enabling DNSSEC can be a valuable decision. If you're not a regular target of malicious activity, don't collect sensitive data and aren't in a high-profile position (i.e., a political figure), you may want to forego DNSSEC.

Back to top

Related step

More info

Share this article

Related articles