DNSSEC Enabled

What This Check Does

The DNSSEC Enabled check verifies that DNSKEY records exist for your domain, indicating that DNSSEC (DNS Security Extensions) has been enabled. DNSSEC adds cryptographic signatures to DNS records, allowing resolvers to verify that responses have not been tampered with during transit.

DNS Spy queries for DNSKEY records at your domain. If no DNSKEY records are found, DNSSEC is not enabled and this check fails.

Why It Matters

Without DNSSEC, DNS responses are transmitted in plain text with no authentication mechanism. This makes DNS vulnerable to cache poisoning attacks, where an attacker injects false DNS records into a resolver's cache, redirecting your users to malicious servers. DNSSEC eliminates this threat by allowing resolvers to cryptographically verify that DNS responses are authentic and unmodified.

DNSSEC adoption is growing, with many TLDs, government domains, and enterprise environments now requiring it. Enabling DNSSEC demonstrates a commitment to security and protects your users from sophisticated DNS-based attacks.

NIST SP 800-81, Section 4, provides comprehensive guidance on DNSSEC deployment and strongly recommends enabling DNSSEC for all domains. DNS Spy helps you verify and maintain your DNSSEC implementation.

NIST SP 800-81 Compliance

Section 4 of the NIST Secure DNS Deployment Guide is dedicated to DNSSEC. It recommends that all organizations deploy DNSSEC for their authoritative zones. DNS Spy's monitoring ensures your DNSSEC remains enabled and alerts you if DNSKEY records are accidentally removed or expire, maintaining compliance with NIST Section 4 requirements.

Good vs. Bad Configuration

Bad Configuration

No DNSKEY records exist for example.com. DNS responses are unauthenticated and vulnerable to cache poisoning and man-in-the-middle attacks.

Good Configuration

example.com has DNSKEY records with both a Key Signing Key (KSK) and a Zone Signing Key (ZSK). All zone records are signed with valid RRSIG records, and DS records are published at the parent zone.

How DNS Spy Monitors This

DNS Spy queries for DNSKEY records during each monitoring cycle. If DNSKEY records are absent, an alert notifies you that DNSSEC is not enabled. For domains with DNSSEC enabled, DNS Spy also monitors key presence over time, alerting you if keys are accidentally removed or changed.