DNSSEC has a reputation for being complicated. That reputation is mostly deserved, but the actual setup on modern DNS providers takes about ten minutes. The hard part is understanding what it does and why, so you don't misconfigure it and silently break your domain for a subset of users. This is that guide. What DNSSEC actually does DNS responses have no built-in authentication. When a resolver asks your nameserver "what's the IP for yourapp.com," there's nothing in the original protocol that proves the answer came from you and wasn't modified in transit. Cache poisoning attacks (Kaminsky, 2008) exploited exactly this. DNSSEC adds cryptographic signatures to your DNS records. Each record set gets signed with a private key. Resolvers that support DNSSEC validation can verify those signatures against a public key published in your zone. If the answer was tampered with, validation fails and the resolver returns an error instead of a forged response. It does not encrypt DNS traffic.…