Defaults.Exposed

Defaults.Exposed › Reports

The DNSSEC Paradox: More Domains Break It Than Get It Right (2026)

Published 2026-06-29

Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains. See how we grade.

DNSSEC is supposed to make your domain harder to hijack — but it’s so fiddly that more domains have it broken than have it working. Across 261 million domains, 3.02% have signed but broken DNSSEC, versus only 1.99% that have it valid. The remaining 94.99% don’t attempt it at all. DNS is the layer the security conversation forgets — and the numbers show it.

What the data says

DNSSEC stateShare of domains
Valid (signed, working)1.99%
Broken (signed, misconfigured)3.02%
Not signed at all94.99%

More domains sit in the broken row than the valid row. That’s the paradox: among the small minority who turn DNSSEC on, the majority get it wrong.

Why is broken DNSSEC worse than no DNSSEC?

Unsigned DNSSEC is simply unprotected. Broken DNSSEC is actively dangerous: a validating resolver will refuse to resolve a domain whose signatures don’t check out, so a misconfiguration can take your domain completely offline for a chunk of the internet — no website, no email — until it’s fixed. The very feature meant to protect you becomes a self-inflicted outage. That risk, plus genuinely tricky key-rollover and registrar handoff, is why adoption stays near the floor.

The wider DNS-security gap

DNSSEC isn’t the only neglected DNS control. CAA records — which restrict who can issue TLS certificates for your domain and quietly block a class of mis-issuance attacks — are present on just 1.56% of domains. DNS is foundational: if it’s hijacked, every other control downstream can be bypassed. Yet it’s the layer fewest owners ever touch.

Should I turn on DNSSEC?

For most small businesses, the priority order is email authentication and HTTPS first — those stop the attacks you actually face daily. DNSSEC matters, but only done correctly: a broken signature is worse than none. If you enable it, use a provider that manages signing and key rollover for you, and verify it validates end to end afterwards. See fix DNSSEC and fix CAA.

Frequently asked questions

Is broken DNSSEC really worse than no DNSSEC? Yes. No DNSSEC just means no extra protection. Broken DNSSEC can make your domain fail to resolve for validating networks — taking your site and email offline until fixed.

What share of domains use DNSSEC correctly? Only 1.99% as of 2026-06-29 — fewer than the 3.02% that have it signed but broken.

What is a CAA record and do I need one? CAA restricts which certificate authorities may issue certificates for your domain, blocking a class of mis-issuance. Just 1.56% of domains set one. It’s a cheap, low-risk addition.

Should a small business prioritise DNSSEC? Usually after email authentication and HTTPS. Do those first; add DNSSEC only if you can manage it correctly.

Check your domain’s DNS security free

See your DNSSEC and CAA status — and the controls that matter more — privately and owner-only.

Check your domain → · Fix DNSSEC → · Fix CAA → · How we grade → · Aggregate data only. Data stored and processed in the EU.