dnssec-not-enabled
DNSSEC not enabled
DNSSEC cryptographically signs DNS answers so attackers cannot redirect your visitors or email. How DNSSEC works and how to enable it on your domain.
What this means in plain English
When someone types your-domain.example into a browser, their device
asks the internet “what’s the actual server address for this name?”.
The answer comes back from the DNS — a worldwide phone book of
domain names. By default, that answer is unsigned: anyone able to
intercept the lookup or poison a phone-book entry can give a wrong
answer, and the visitor’s device will trust it.
DNSSEC is the cryptographic seal that makes DNS answers tamper-evident. With DNSSEC enabled on your domain, every answer is signed by you and verifiable by the visitor’s device. A wrong answer fails verification and gets discarded.
Why it matters to your business
DNSSEC protects a layer that’s invisible to most people but very high-impact when it goes wrong. The same DNS that points visitors at your website also tells:
- Mail servers where to deliver your email.
- Other servers which IP addresses are allowed to send email as you (your SPF record).
- Certificate authorities whether they’re allowed to issue HTTPS certificates for your domain (your CAA record, see CAA article).
A successful attack on the DNS for any of these — even briefly, even on a single network — can route your customer’s email through an attacker, get a fake HTTPS certificate issued for your domain, or send your customers to a phishing clone of your site.
We rate this as low severity because realistic attacks need an adversary with privileged network position. It’s still worth fixing — at most managed DNS providers, switching DNSSEC on is essentially free.
How to fix it
DNSSEC enablement is usually a single toggle, but it has two pieces that need to line up:
-
Sign the zone at your DNS provider. Cloudflare, AWS Route 53, Google Cloud DNS, and most German hosters (IONOS, STRATO, Netcup, InterNetX) have a one-click DNSSEC switch in their control panel.
-
Tell your registrar. After the DNS provider signs the zone, it gives you a small piece of text called a “DS record”. You paste that into your domain registrar’s settings (the company you bought the domain from). The registrar then passes it up the chain to the operator of your top-level domain (
.de,.com, etc.) — that step completes the chain of trust.
Within an hour or so, your domain is signed end to end. The free checker linked below confirms it.
A small thing to check: not every registrar supports adding DS
records for every top-level domain. If yours doesn’t, you might need
to move the registration. For .de domains, every reasonable German
registrar handles DNSSEC properly.
Further reading
- DNSViz — visualises the DNSSEC chain for any domain; useful to confirm setup.
- Cloudflare DNSSEC explainer — readable, with diagrams.
- RFC 4033 — DNSSEC introduction