Defaults.Exposed › Reports
What Is DNSSEC — and Do You Actually Need It? (2026)
Published 2026-07-01
Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains. DNSSEC adds cryptographic signatures to DNS so a resolver can prove an answer really came from you and wasn’t tampered with. See how we grade.
DNSSEC stamps every DNS answer for your domain with a signature, so an attacker can’t quietly swap in a fake one and send your visitors somewhere else. It’s one of the least-adopted controls on the web: only 1.99% of 261 million domains have a valid signed chain. It’s also one of the few where a bad configuration is worse than none — 3.02% of domains are signed but broken, which can make them unreachable. Here’s what it does and whether you need it.
What DNSSEC actually protects against
Plain DNS has no way to prove an answer is genuine. That opens the door to cache poisoning and on-path DNS spoofing — an attacker feeds a resolver a forged record and points your visitors, or your email, at their server, with no certificate warning to give it away. DNSSEC closes that gap by signing the records so a validating resolver rejects anything that doesn’t verify.
What it does not do: it doesn’t encrypt DNS, doesn’t secure the website itself, and doesn’t replace HTTPS, DMARC or CAA. It’s one layer — integrity for DNS answers.
The adoption picture
- 1.99% signed and valid.
- 3.02% signed but broken — a signature that fails validation, which can drop the domain for anyone using a validating resolver. This is the risk that makes people wary.
- Where a registry actively promotes it, uptake is far higher: registry-driven country endings reach 9.1% valid, against 1.3% across other country endings. Adoption is a policy lever, not a technical limit. See does mandatory DNSSEC work and the DNSSEC paradox.
By domain ending, valid DNSSEC ranges widely: 18.38% on .se, 11.86% on .nl, 14.62% on .cz — against just 1.62% on .com.
Do you need it?
- Higher-value or targeted domains — banks, government, infrastructure, anything where redirecting users or mail is a serious prize — benefit most.
- Compliance-driven organisations — DNSSEC increasingly appears in security questionnaires and some sector rules.
- Everyone else — it’s a reasonable hardening step if your DNS host makes it one-click and manages key rollovers for you. If enabling it means hand-managing keys you might get wrong, the broken-signature risk is real — do it where it’s automated.
How to turn it on safely
- Use a DNS host that automates DNSSEC — signing and key rollovers handled for you (most major providers now do this in one click). See fix DNSSEC.
- Enable signing, then publish the DS record at your registrar to complete the chain of trust.
- Validate that the chain resolves before you walk away — a signed-but-broken domain is worse than an unsigned one.
- Never hand-manage keys unless you have the tooling to rotate them reliably.
Frequently asked questions
What is DNSSEC in simple terms? It’s a set of digital signatures on your DNS records so resolvers can prove the answer is genuine and wasn’t forged in transit.
Do I really need DNSSEC? It’s most valuable for high-target domains and where compliance asks for it. For everyone else it’s a good hardening step if your DNS host automates it — the main risk is a misconfiguration, which 3.02% of domains currently have.
Does DNSSEC encrypt my DNS? No. It proves integrity (the answer is authentic) but doesn’t hide the query. That’s a different technology (DoH/DoT).
Can DNSSEC break my website? A broken or expired signature can make your domain unresolvable for anyone using a validating resolver. That’s why automated signing and key rollover matter.
Is DNSSEC free? Yes on most modern DNS hosts — it’s a setting, not a purchase.
Check your domain’s DNSSEC free
See whether your domain is signed, valid, and correctly chained — privately, and owner-only.
Check your domain → · Fix DNSSEC → · Does mandatory DNSSEC work? → · How we grade → · Aggregate data only. Data stored and processed in the EU.