DNS5 min read

DNSSEC: Does Your UK Domain Need It and How Do You Check?

DNSSEC adds cryptographic signatures to DNS records, preventing cache poisoning attacks. This guide explains DNSSEC, UK adoption, and how to check your domain status for free.

DNSSECDNS securityUK domainscache poisoningdomain security

The DNS Cache Poisoning Problem

DNS was designed in 1983 with no authentication β€” the assumption was that only trusted parties would be operating resolvers. That assumption is long obsolete. DNS cache poisoning attacks inject false DNS records into a resolver's cache, redirecting users to attacker-controlled servers even when the actual destination is legitimate. The 2008 Kaminsky attack demonstrated that virtually all DNS resolvers were vulnerable, triggering emergency patches across the industry.

DNSSEC (DNS Security Extensions) solves this by adding cryptographic signatures to DNS records, allowing resolvers to verify that responses are authentic.

How DNSSEC Works

DNSSEC establishes a chain of trust from the DNS root zone down to your domain. Each zone is signed with a Zone Signing Key (ZSK) and a Key Signing Key (KSK). The public keys are published in DNSKEY records; signatures are published in RRSIG records. A validating resolver checks the signature chain all the way back to the root β€” if any link breaks, the query fails.

For UK .co.uk and .uk domains, Nominet operates the signing infrastructure for the .uk TLD zone.

DNSSEC Adoption in the UK

DNSSEC is mandatory for UK government domains under NCSC guidance. UK financial services regulators strongly recommend it for regulated entities. However, adoption among UK SMBs remains low β€” many popular UK domain registrars do not prominently offer DNSSEC configuration, and some shared hosting environments do not support it.

Approximately 30% of UK .co.uk domains have DNSSEC enabled, compared to higher rates in Scandinavia (where DNSSEC has been mandated for many TLDs) and the Netherlands.

Should Your UK Domain Have DNSSEC?

Yes, if any of the following apply:

  • Your domain is used for financial transactions
  • You send authenticated email (DMARC/SPF/DKIM depend on authentic DNS)
  • Your domain is a target for phishing (brand impersonation, banking, government services)
  • You operate critical infrastructure where DNS hijacking could cause significant harm
  • You hold Cyber Essentials Plus or ISO 27001 certification

The downside of DNSSEC is negligible for most organisations β€” a slight increase in DNS response size and query time (typically <5ms). The upside is meaningful protection against DNS-level attacks.

Enabling DNSSEC for Your Domain

DNSSEC must be enabled at both your DNS hosting provider and your domain registrar. The process:

  1. Enable DNSSEC signing at your DNS provider (Cloudflare, Route 53, Google Cloud DNS all support this)
  2. Copy the DS (Delegation Signer) record generated by your DNS provider
  3. Add the DS record at your domain registrar (for .co.uk domains: via Nominet's registry interface or your registrar's control panel)
  4. Wait for DNS propagation (typically 24–48 hours for DS records)
  5. Verify using VP Pulse's domain scan or dnssec-analyzer.verisignlabs.com

Check Your Domain's DNSSEC Status

VP Pulse's free domain scan checks DNSSEC status for any domain in seconds β€” alongside TLS grade, DMARC, SPF, DKIM, IPv6, and security headers. Run a scan at pulse.vpnetworks.co.uk/scan.

Monitor Your UK Domain for Free

VP Pulse checks TLS, DMARC, SPF, DKIM, DNSSEC, IPv6, and security headers for any domain in under 10 seconds β€” no login required.

Scan a domain β†’Talk to an expert

Related Articles