.au Domain Observatory

What is DNSSEC?

DNSSEC is a verification layer for DNS. It can make DNS answers tamper-evident, but it does not secure everything about a domain.

DNSSEC posturePublic DNS evidenceObservable limits

Direct answer

DNSSEC lets DNS records be digitally signed so resolvers can check that an answer is authentic and has not been changed in transit.

Plain-language explanation

DNS is the system that helps turn a domain name into the technical records needed to reach a website, mail server or other internet service.

DNSSEC adds a verification layer to that process. It allows DNS answers to be checked against cryptographic signatures so that supported resolvers can detect if a signed answer has been altered.

Put simply, DNSSEC can make DNS answers tamper-evident. It does not encrypt DNS traffic, secure the website itself, validate the organisation behind a domain, or prove that a domain is safer than another domain.

Why it matters

DNSSEC is a visible trust posture signal because it can show whether a domain has public evidence of signed DNS delegation or related DNSSEC records.

For governance readers, DNSSEC is useful because its presence, absence or movement can be observed over time. That makes it easier to ask calm questions about domain administration, DNS hosting and public trust posture.

The important point is restraint: DNSSEC evidence is useful, but it is not a complete assessment of domain security.

What .auDO observes

  • whether DNSSEC appears visible for an observed domain
  • whether DNSKEY records are present
  • whether RDAP reports DNSSEC-related delegation information
  • whether DNSSEC visibility changes between repeated observations

What it can tell us

  • whether public DNSSEC evidence was visible at collection time
  • whether visible DNSSEC posture changed across repeated observations
  • whether DNSSEC visibility patterns are present across the observed panel
  • whether a domain may be worth reviewing alongside DNS provider and registration context

What it cannot prove

  • that a domain is safe
  • that a domain is unsafe
  • that an organisation has good or poor governance
  • that public DNSSEC visibility alone is a complete security assessment
  • that DNSSEC is correctly configured in every resolver path
  • that web, email or application-layer controls are effective

Practical governance questions

  • Do we know whether DNSSEC is expected for important domains?
  • Who owns DNSSEC decisions: registrar, DNS provider, internal technology team or supplier?
  • Are DNSSEC changes reviewed alongside nameserver, registrar and DNS provider changes?
  • Is DNSSEC posture documented in domain administration records?
  • If DNSSEC is absent, is that an accepted position or simply unknown?

These signal pages explain the specific public fields and observations that sit behind this explainer.

DNSSECDNSKEY presenceDNSSEC via RDAPName serversDNS providerRDAPRegistrar

State pages summarise aggregate posture across the current .auDO observation panel. They are summaries, not scores.

DNSSEC postureDNS providersRDAP and registration signals

Explore observed context

For broader context, compare DNSSEC posture with dated reports, observed cohorts and the methodology notes. These views can help show whether a DNSSEC observation is isolated, repeated or part of a broader panel pattern.

ReportsObserved cohortsMethodologyAll explainers