Products
Discover
Help Center
Domains

Domains Help

What is DNSSEC?

DNSSEC is an advanced DNS feature that adds extra security to your domains. You'll need Premium DNS in your GoDaddy account to use DNSSEC on domains using GoDaddy nameservers.

Note: If your domain is registered with GoDaddy, but isn't using our nameservers, you can manually add a DS record in your account.

Select a question to see its answer:

What is DNSSEC?

DNSSEC stands for Domain Name System Security Extensions. It's a security protocol that adds an extra layer of protection to the Domain Name System (DNS) — the contacts list of the internet. DNSSEC works by digitally signing DNS records to ensure they aren't tampered with or forged during transit. DNSSEC helps prevent cybercriminals from redirecting internet traffic to malicious websites, such as phishing websites.

Why is DNSSEC important?

DNSSEC helps ensure the integrity and authenticity of DNS. Without DNSSEC, cybercriminals can manipulate DNS records and redirect internet traffic to malicious websites, which could result in identity theft, financial loss or other types of cybercrime. DNSSEC helps to prevent these types of attacks and provides a more secure internet experience for everyone.

How does DNSSEC work?

DNSSEC works by using keys to digitally sign DNS records. These keys create a chain of trust through the DNS system that ensures that the DNS records used match the DNS provided in the domain's zone file on its nameservers.

Back to top

How do I activate DNSSEC for my domain?

DNSSEC is available when you have Premium DNS in your GoDaddy account and your domain is using GoDaddy nameservers. You can turn on DNSSEC for domains using GoDaddy nameservers, and we'll take care of the zone signing process on your behalf.

If your domain isn't using GoDaddy nameservers, you'll need to set up DNSSEC through your DNS provider. You'll need to digitally create private and public keys and generate a Declaration of Signing record during the domain signing process. The requirements and restrictions may vary based on your domain's registry and DNS provider. Reach out to your DNS provider for more information, and once you have DNSSEC set up, you can manually add the DS records to your domains registered with GoDaddy.

What are the benefits of using DNSSEC?

DNSSEC offers increased security, improved privacy and better protection against cyberattacks. Digitally signed DNS records help prevent DNS spoofing, cache poisoning and other types of DNS attacks. This process helps to ensure that internet users are directed to the correct websites and that their data remains secure. DNSSEC also provides enhanced privacy by helping prevent third parties from manipulating DNS queries.

What are the limitations of DNSSEC?

Some limitations include increased complexity, higher resource requirements and limited support from some DNS providers. Implementing DNSSEC requires additional infrastructure, such as key management, and can be challenging for smaller organizations with limited resources. Not all DNS providers support DNSSEC, which can limit its effectiveness.

Back to top

How does DNSSEC affect DNS performance?

DNSSEC adds more processing time and network overhead because it requires additional steps to verify DNS records, which can slow down DNS resolution times. The larger size of signed DNS records can increase network traffic and result in longer download times. These performance impacts are typically small and largely outweighed by the benefits of increased security.

How can I check if DNSSEC is on a domain and set up correctly?

You can use an online tool to check the current status of DNSSEC on a domain, such as DNSViz, Verisign DNSSEC Debugger and ZoneCheck. Enter the domain you want to check and wait for the tool to generate a report. The report will show you whether the domain has DNSSEC active or not. If DNSSEC is active, the report will also show you details about the DNSSEC keys and signatures for the domain.

Note: GoDaddy can't provide support for these types of tools and aren't responsible for the results they provide.

There's no visual feedback for DNSSEC-secured sites, unlike with the padlock icon that indicates a site secured with an SSL. In most cases, if a site has DNSSEC activated, you won't notice a thing. And if there's an issue and the DNS doesn't resolve properly, you'll get a message with more details.

Back to top

How can I troubleshoot DNSSEC issues?

Most DNSSEC issues will be related to the digital signatures stored on the domain's nameservers. If the DS records don't match those digital signatures, the domain can't resolve properly.

If you're using GoDaddy nameservers, we'll make sure the digital signatures and DS records are set up correctly on your behalf. If you're not using GoDaddy nameservers, you'll need to review your settings with your DNS provider where you set up DNSSEC originally.

Is DNSSEC necessary for my website or organization?

DNSSEC isn't required for every website or organization, but it's strongly recommended for sites that handle sensitive information or have a high risk of cyberattacks. DNSSEC helps ensure the integrity and authenticity of DNS, which is particularly important for organizations that handle financial transactions, medical records or other sensitive data. Some industries or countries may have specific regulatory requirements that mandate the use of DNSSEC.

Why doesn't everyone use DNSSEC?

Implementation requires effort, consensus and expenses (often significant) worldwide. Implementation is moving steadily forward, one domain name extension and its registry at a time. As each extension becomes DNSSEC-aware, we'll be there to support the effort for domain names registered through GoDaddy.

Back to top

Related step

More info

Share this article

Related articles