dnssec-not-enabled
DNSSEC not enabled
DNSSEC adds a tamper-proof seal to the lookup that translates your domain name into a server address. Without it, an attacker on the network can quietly redirect your visitors and your email.
What this means in plain English
When someone types your-domain.example into a browser, their device
asks the internet “what’s the actual server address for this name?”.
The answer comes back from the DNS — a worldwide phone book of
domain names. By default, that answer is unsigned: anyone able to
intercept the lookup or poison a phone-book entry can give a wrong
answer, and the visitor’s device will trust it.
DNSSEC is the cryptographic seal that makes DNS answers tamper-evident. With DNSSEC enabled on your domain, every answer is signed by you and verifiable by the visitor’s device. A wrong answer fails verification and gets discarded.
Why it matters to your business
DNSSEC protects a layer that’s invisible to most people but very high-impact when it goes wrong. The same DNS that points visitors at your website also tells:
- Mail servers where to deliver your email.
- Other servers which IP addresses are allowed to send email as you (your SPF record).
- Certificate authorities whether they’re allowed to issue HTTPS certificates for your domain (your CAA record, see CAA article).
A successful attack on the DNS for any of these — even briefly, even on a single network — can route your customer’s email through an attacker, get a fake HTTPS certificate issued for your domain, or send your customers to a phishing clone of your site.
We rate this as low severity because realistic attacks need an adversary with privileged network position. It’s still worth fixing — at most managed DNS providers, switching DNSSEC on is essentially free.
How to fix it
DNSSEC enablement is usually a single toggle, but it has two pieces that need to line up:
-
Sign the zone at your DNS provider. Cloudflare, AWS Route 53, Google Cloud DNS, and most German hosters (IONOS, STRATO, Netcup, InterNetX) have a one-click DNSSEC switch in their control panel.
-
Tell your registrar. After the DNS provider signs the zone, it gives you a small piece of text called a “DS record”. You paste that into your domain registrar’s settings (the company you bought the domain from). The registrar then passes it up the chain to the operator of your top-level domain (
.de,.com, etc.) — that step completes the chain of trust.
Within an hour or so, your domain is signed end to end. The free checker linked below confirms it.
A small thing to check: not every registrar supports adding DS
records for every top-level domain. If yours doesn’t, you might need
to move the registration. For .de domains, every reasonable German
registrar handles DNSSEC properly.
Further reading
- DNSViz — visualises the DNSSEC chain for any domain; useful to confirm setup.
- Cloudflare DNSSEC explainer — readable, with diagrams.
- BSI on DNSSEC (German)
- RFC 4033 — DNSSEC introduction