When you type a web address into your browser, you rely on the Domain Name System (DNS). The DNS resolves names like interisle.substack.com into the IP addresses that computers use to reach each other over the Internet, in this case 104.18.37.200.
It’s fast and indispensable. But the DNS was designed in the 1980s, long before today’s online threat environment. Security wasn’t a part of its original design. That leaves an opening: attackers can forge DNS answers, redirecting users to fake sites for phishing or to plant malware.
To fix this, the Internet Engineering Task Force (IETF) produced DNS Security Extensions (DNSSEC). First standardized in 2005, DNSSEC adds cryptographic signatures to DNS responses, giving DNS resolvers a way to verify the authenticity of the addresses.
In the abstract, it’s a compelling addition to the DNS. However, in practice, adoption has been slow. DNSSEC is powerful — but also complicated and in some cases difficult to deploy.
How DNSSEC Works
The DNS is like a chain of messengers. Your computer asks for the address of Interisle.subtack.com. If your local DNS resolver doesn’t know the answer, it has to ask a sequence of servers: first one of the DNS root servers, then the .com servers, then substack.com’s servers.
At each step, you’re trusting the answer. Without protection, a hacker can slip in a forged response (via methods such as a DNS cache poisoning attack aka DNS spoofing) and your computer won’t know the difference.
DNSSEC fixes that. It attaches digital signatures to DNS records. Your resolver checks the signature against a public key. If it matches, the data is valid; if not, it’s discarded.
The trust flows down a chain: the root signs the top-level domains, which sign second-level domains, and so on. If you trust the root, you can trust everything below it (see the sidebar).
The Merits of DNSSEC
Data Integrity: Signatures prevent undetected tampering.
Authentication: Resolvers can confirm the source of data to ensure answers come from the right source.
Mitigation of Cache Poisoning: Forged records won’t validate.
Stronger Trust Model: Security based on verifiable cryptography, not blind trust.
Enables new tools, such as DANE (discussed later).
DNSSEC makes one of the Internet’s weakest points much harder to exploit.
The Downsides of DNSSEC
So why isn’t everyone using it? Because DNSSEC has some issues:
No Privacy: It doesn’t encrypt DNS traffic. DNS queries and responses are still sent in the clear and can be eavesdropped.
Operational Complexity: Cryptographic keys and signatures must be generated and deployed correctly. A botched deployment can break an entire domain.
Bigger Responses: Signatures inflate the size of DNS messages. That can cause IP packet fragmentation and dropped responses.
Partial Adoption: If only part of the chain is cryptographically signed, validation breaks down. Today, many domains remain unsigned.
Operators have reported painful issues such as when a missed or incorrect operational step made a domain vanish worldwide.
These aren’t fatal flaws, but they explain why many administrators hesitate to deploy DNSSEC. And if those that do deploy it ever do have an issue that causes a validation-failure crisis, they may be reluctant to ever turn DNSSEC validation back on.
Where Things Stand Today
Deployment progress has been made, but it’s also been slow:
The root zone has been signed since 2010.
Most top-level domains (TLDs) are now signed.
Big public DNS resolvers like Google (8.8.8.8) and Cloudflare (1.1.1.1) validate DNSSEC.
But at the “last mile” — individual domains and smaller resolvers — adoption lags. Surveys show that only a fraction of second-level domains are signed, and many ISPs still don’t validate DNS responses. The DNSEC World Map shows DNSSEC deployment between 38% to 58% depending on the region of the world, and DNSSEC Deployment Statistics show that while some TLDs have 100% deployment, the great majority of TLDs are still at 33% or below (a good number are still below 1%).
Complementary technologies are also moving forward: DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt DNS traffic, while DNS-Based Authentication of Named Entities (DANE) uses DNSSEC to strengthen TLS certificates. Together, these tools could form a more secure Internet stack — if DNSSEC becomes more universal.
Why You Should Care
For operators and enterprises: DNSSEC is the best available defense against forged DNS data. It does add complexity, but automation and best practices are improving the deployment difficulties.
For everyday users: You can’t enable DNSSEC yourself — but you benefit when your resolver or ISP does. Widespread validation means fewer chances to be misdirected by malicious actors.
Conclusion
DNSSEC is both a promise and a conundrum. It promises to protect one of the Internet’s weakest points, the authenticity of DNS responses. But it’s also a conundrum for operators with its operational demands, larger response sizes, and incomplete adoption.
The Internet is inching toward a safer DNS, but it’s a very gradual process. The likely future: DNSSEC paired with DoH, DoT, and DANE to create a layered defense.
Until then, DNSSEC remains a powerful but imperfect shield, one that can make the Internet more trustworthy if we can learn how to use it properly and further improve the deployment tool set.
Sidebars:
Why trust the DNS root?
The DNS root is signed with a globally recognized cryptographic key managed under strict, transparent procedures by ICANN (which manages the DNS) and other trusted international partners. Its key-signing procedures are publicly documented and secured with hardware, audits, and multiple custodians. This transparency and rigor ensure global trust in the foundation of the DNS (and DNSSEC) chain.
Can you trust DNSSEC-signed domains?
DNSSEC authenticates DNS lookups, so you can trust that if a domain uses DNSSEC, a DNS lookup for that domain will return its proper IP address. However, that is not the same as trusting the content hosted at a domain that’s been signed. If a criminal has legitimately registered a domain name, they have legitimate DNSSEC signing rights for the domain. DNSSEC tells you that you can trust that the domain's IP address in the DNS hasn't been tampered with, but you shouldn't de facto trust the content at that domain. It's the same as any other website that you visit - rely on spam and firewall tools and your common sense as always.