DNSSEC uses digital signature to verify the authenticity and integrity of DNS records. In essence, it sets up a non-spoofable chain of trust right from the root zone down to the authoritative nameserver and further to modern caching resolvers (e.g., BIND, Unbound etc.). Of course, there’s more, on it and some more.
There are many reasons to turn on DNSSEC, some of which some of them are outright detrimental to businesses (loss of revenue for instance).
It may surprise you to find a number of household domains do not use DNSSEC.
In general these are some reasons to use DNSSEC:
It goes without saying that DNSSEC is not a panacea
To have DNSSEC turned on for a domain, you need three parties working in tandem with each other
For illustrative purpose, I will use my domain ishworgurung.com.
My personal domain ishworgurung.com is registered using Namecheap and the authoritative name server is at Vultr.
So, to setup DNSSEC for my domain, I need to generate a fresh copy of DS Records (Delegation Signer) from Vultr. Of particular use are:
Vultr by default generates three DS records, copy them to Namecheap’s DNSSEC console.
Some handy tools the internets has to offer
dig +short ds ishworgurung.com
dig +short dnskey ishworgurung.com
dig +short nsec ishworgurung.com
Someone on the internet said:
DNSSEC is a tool, not a religion. Please try to understand how the tool works before criticizing it.
And I agree. DNSSEC is a good thing - let’s do more of it; not less.
I leave you with Dr. Casey Deccio’s Hello Summer Break . Dr. Casey is the original author of DNSViz
1Is BGP Safe Yet.