Part 4 of the series "EU Web Security: 10 Steps to a Better Rating"
The Invisible Foundation
Before your browser can load a website, it must resolve the domain name to an IP address. That is what the Domain Name System (DNS) does — and it has a fundamental problem: it was designed in 1983 without authentication. Anyone who can manipulate DNS responses can redirect users to arbitrary servers.
An attacker on the same network can forge DNS responses and redirect your customers to a perfect copy of your website — complete with a valid Let's Encrypt certificate, if no CAA record restricts issuance.
DNSSEC adoption in the EU: 15.8%. Only one in six domains is protected.
The Numbers
- DNSSEC: 15.8% validated
- CAA (Certification Authority Authorization): 3.0%
- DANE/TLSA: under 1%
97% of European domains have no CAA record. That means: any certificate authority in the world can issue a valid certificate for your domain — including an attacker with access to a compromised CA.
What Is DNSSEC?
DNSSEC (Domain Name System Security Extensions, RFC 4033-4035) cryptographically signs DNS responses. The resolving nameserver can verify that the response genuinely comes from the authoritative nameserver and has not been tampered with.
Without DNSSEC: your-domain.com -> 93.184.216.34 (unverifiable)
With DNSSEC: your-domain.com -> 93.184.216.34 + RRSIG (cryptographically signed)
How to Enable DNSSEC
DNSSEC is enabled at the DNS provider, not on your server.
Step 1: Check Your DNS Provider
Most major providers support DNSSEC:
| Provider | DNSSEC Support | Activation |
|---|---|---|
| Cloudflare | Yes | One click in the dashboard |
| AWS Route 53 | Yes | Via CLI or Console |
| Google Cloud DNS | Yes | Via CLI or Console |
| Azure DNS | Yes | Via Portal or CLI |
| OVH | Yes | DNS Zone > Enable DNSSEC |
| Hetzner | Yes | DNS Console > Enable DNSSEC |
| GoDaddy | Yes | Domain settings > DNSSEC |
Step 2: Enable DNSSEC
With most providers, it is a single toggle in the DNS management panel. The provider generates the DNSSEC keys and signs the zone automatically.
Step 3: Add the DS Record at the Registrar
If your DNS provider and registrar are different (e.g. domain at GoDaddy, DNS at Cloudflare), you need to manually add the DS record at the registrar. The DS record is the trust anchor — it links your domain to the DNSSEC signature.
Cloudflare displays the DS record you need to enter at your registrar.
Step 4: Verify Validation
dig +dnssec your-domain.com
If the response contains the ad (Authenticated Data) flag, DNSSEC is active and validated.
CAA: Who May Issue Certificates?
A CAA record (RFC 8659) defines which certificate authorities may issue TLS certificates for your domain:
your-domain.com. IN CAA 0 issue "letsencrypt.org"
your-domain.com. IN CAA 0 issuewild ";"
issue "letsencrypt.org"— only Let's Encrypt may issue certificatesissuewild ";"— no wildcard certificates from anyone
3% of EU domains have a CAA record. The other 97% blindly trust every CA in the world.
Common Mistakes
1. Enabling DNSSEC without monitoring. If DNSSEC signatures expire (key rotation failure), the domain becomes unreachable for all DNSSEC-validating resolvers. Make sure your provider rotates keys automatically.
2. Setting CAA too strictly. If you switch CA providers and forget to update the CAA record, certificate renewal will fail.
3. DANE without DNSSEC. DANE/TLSA records only work with DNSSEC — without the signature, an attacker can forge the TLSA record too.
Regulatory Context
- NIS2 Art. 21(2) — DNS infrastructure is part of the cybersecurity measures for network and information systems
- NIS2 Art. 28 — specific obligations for DNS service providers and TLD registries
- GDPR Art. 32 — DNS spoofing can lead to phishing and, consequently, data breaches
Check Your DNS Security
SiteGuardian checks DNSSEC validation, CAA records, DANE/TLSA, and DNS hygiene (open zone transfers, orphaned records):
Next week in Part 5: security.txt — the RFC 9116 standard that ENISA recommends and 97.2% of EU websites do not have.