How is DNSSEC (DNS Security Extensions) used in practice?

See real-world examples and code snippets on the DNSSEC (DNS Security Extensions) glossary page at CDN Certified.

What concepts are related to DNSSEC (DNS Security Extensions)?

Related terms include: CNAME, DNS TTL, DNS (Domain Name System), TLS (Transport Layer Security).

DNSSEC (DNS Security Extensions) (DNSSEC)

DNS

Cryptographic signatures on DNS records that prove the response hasn't been tampered with. Prevents DNS spoofing and cache poisoning attacks. Does not encrypt queries.

Updated Mar 9, 2026

Full Explanation

DNSSEC adds digital signatures to DNS responses. When a resolver gets a DNS answer, it can verify the signature chain all the way up to the root zone. If someone tampered with the response (DNS spoofing, cache poisoning), the signature won't validate and the resolver rejects it.

For CDN operations, DNSSEC adds trust to the first step of every request. Without it, an attacker could redirect users to a malicious server by poisoning DNS caches. With DNSSEC, the CDN's DNS records are cryptographically signed and verifiable.

The downside: DNSSEC adds complexity and slightly larger DNS responses (signatures take bytes). It also doesn't encrypt DNS queries, so observers can still see what domains you're looking up. For privacy, you need DNS over HTTPS (DoH) or DNS over TLS (DoT) on top of DNSSEC.

Examples

# Check if a domain has DNSSEC
$ dig +dnssec example.com
;; flags: qr rd ra ad;  # 'ad' flag = Authentic Data (DNSSEC validated)

# View DNSSEC records
$ dig DNSKEY example.com +short
256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeq...
257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJ...

# Verify DNSSEC chain
$ dig +trace +dnssec cdn.example.com | grep RRSIG
cdn.example.com. 300 IN RRSIG CNAME 13 3 300 20260401...

# delv: detailed DNSSEC validation
$ delv @8.8.8.8 example.com
; fully validated

Video Explanation

Frequently Asked Questions

Cryptographic signatures on DNS records that prove the response hasn't been tampered with. Prevents DNS spoofing and cache poisoning attacks. Does not encrypt queries.

# Check if a domain has DNSSEC
$ dig +dnssec example.com
;; flags: qr rd ra ad;  # 'ad' flag = Authentic Data (DNSSEC validated)

# View DNSSEC records
$ dig DNSKEY example.com +short
256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeq...
257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJ...

# Verify DNSSEC chain
$ dig +trace +dnssec cdn.example.com | grep RRSIG
cdn.example.com. 300 IN RRSIG CNAME 13 3 300 20260401...

# delv: detailed DNSSEC validation
$ delv @8.8.8.8 example.com
; fully validated

Related CDN concepts include:

CNAME — A DNS record type that maps one domain name to another (an alias). CDNs use …
DNS TTL — Time To Live for DNS records—how long resolvers and clients should cache a DNS response …
DNS (Domain Name System) (DNS) — The internet's phone book—translates human-readable domain names (example.com) into IP addresses (93.184.216.34). Every CDN request …
TLS (Transport Layer Security) (TLS) — The encryption protocol that secures HTTPS connections. TLS encrypts data in transit between client and …

Previous Term DNS (Domain Name System)

Next Term DNS TTL

Back to Glossary