TL;DR — DNSSEC stops DNS hijacking by cryptographically signing your domain records. Enable it in three clicks on bunkerdomains, publish DS records at your registry, done.
Your domain gets cached everywhere—ISP resolvers, public DNS, CDN edges. Without DNSSEC, anyone between you and your users can rewrite those answers. They redirect your site to a phishing clone, intercept email, or push malware. DNSSEC makes that attack detectable.
What DNSSEC Actually Does
DNS was built in 1983 with zero authentication. A resolver asks "where's example.com?" and trusts whatever answer comes back. DNSSEC adds digital signatures to every DNS record. The signatures chain up to the root zone, which is signed by ICANN's root key. If someone tampers with your records in transit, the signature fails validation. The resolver drops the bogus answer.
This matters for:
- High-value targets: Crypto exchanges, activist platforms, darknet markets, whistleblower drops
- Email integrity: SPF/DKIM records can't be spoofed if DNSSEC is live
- HTTPS bootstrap: DANE (TLS cert validation via DNS) requires DNSSEC
- Censorship resistance: Harder to silently redirect your domain without breaking signatures
DNSSEC doesn't encrypt DNS queries—use DoH or DoT for that. It authenticates answers. Different problem, different tool.
How the Signature Chain Works
Your nameservers sign the zone with a private key (ZSK—Zone Signing Key). That key is itself signed by another key (KSK—Key Signing Key). The hash of your KSK public key becomes a DS record, which you publish at the registry. The registry signs that DS record. The TLD operator signs the registry's records. The root signs the TLD. Validators walk this chain from root to your domain.
If any link breaks—expired signature, missing DS record, rotated key without updating the registry—validation fails. Strict validators treat this as "domain does not exist." No fallback to unsigned. That's the point.
Enabling DNSSEC on bunkerdomains
Log into your dashboard. Go to Domains → select your domain → DNS Settings → DNSSEC tab. Click Enable DNSSEC. We generate a key pair, sign your zone, and display the DS record.
You'll see something like:
example.com. 3600 IN DS 12345 13 2 A1B2C3D4E5F6...
Four fields matter:
| Field | Meaning |
|---|---|
| 12345 | Key Tag (identifier for this KSK) |
| 13 | Algorithm (13 = ECDSA P-256 with SHA-256) |
| 2 | Digest Type (2 = SHA-256) |
| A1B2C3… | Digest (hash of your public key) |
Copy the full DS record. You need to submit it to your registry.
Publishing the DS Record
Most TLDs let you add DS records through the registrar control panel or EPP commands. On bunkerdomains:
- Go to Domain Management → DNSSEC Records
- Paste the DS record (or enter fields individually if the form splits them)
- Click Submit to Registry
We push it via EPP. Propagation takes 15 minutes to 24 hours depending on the TLD. .com/.net are fast. Some ccTLDs cache longer.
Algorithm Choice
We default to ECDSA P-256 (algorithm 13). Smaller keys, faster validation, widely supported since 2013. Legacy validators that choke on ECDSA are rare and broken. If you need RSA for compatibility with ancient infrastructure, contact support—we'll generate RSA-SHA256 keys manually, but you're solving a problem that shouldn't exist in 2025.
Validation and Troubleshooting
After publishing the DS record, check propagation:
dig +dnssec example.com
Look for the ad (authenticated data) flag in the response header. If present, the resolver validated the chain. If missing, either DNSSEC isn't live yet or something's broken.
Common failures:
- DS record not published: Registry hasn't processed your submission. Wait or check their logs.
- Signature expired: We auto-renew signatures 7 days before expiry. If you paused the domain or pointed nameservers elsewhere, signatures rot.
- Parent zone unsigned: A few TLDs still don't support DNSSEC (rare but real). Check the TLD's DNSSEC status before enabling.
- Nameserver mismatch: If you're using custom nameservers, make sure they're signing the zone. bunkerdomains nameservers handle this automatically.
Use DNSViz to visualize the chain. Red boxes mean broken signatures. Green means validated. It shows exactly where the chain fails.
Key Rotation
We rotate ZSKs every 90 days. KSK rotates annually. You don't touch anything—our automation handles signatures and pushes updated DS records to the registry. If you manage keys manually (custom nameservers), set calendar reminders. A missed rotation breaks the domain.
Mixed Content and Partial Signing
You can sign the apex and leave subdomains unsigned—just don't publish DS records for the subs. Unsigned delegations work fine under a signed parent. The reverse (signed child under unsigned parent) is impossible; the chain must be unbroken from root down.
Performance Impact
DNSSEC responses are 3–5x larger due to signature (RRSIG) records. IPv6 + DNSSEC can push a UDP response over 512 bytes, triggering fragmentation or TCP fallback. Modern resolvers handle this. Ancient embedded devices (IoT routers with 2 MB firmware) sometimes fail.
If your audience is 95% modern desktops/phones, enable it. If you're serving rural networks with decade-old CPE, test first. We've seen under 0.1% breakage rate in practice, but that 0.1% will complain loudly.
Why Bother If You Use HTTPS?
TLS encrypts the connection. DNSSEC authenticates the DNS answer that tells the browser which IP to connect to. An attacker can't read your HTTPS traffic, but without DNSSEC they can redirect you to a lookalike server with a valid Let's Encrypt cert for examp1e.com. DNSSEC stops the redirect. DANE goes further: it pins your TLS cert in DNS, so even a compromised CA can't issue a fake cert for your domain.
Crypto exchanges, PGP keyservers, and Tor bridge operators should run DNSSEC + DANE. Everyone else: it's free insurance.
DNSSEC turns DNS from a postcard into a notarized document. Enable it, publish the DS record, validate. If someone tries to hijack your domain mid-flight, the signature breaks and the attack dies. No trust required.