What is DNSSEC?

DNSSEC (Domain Name System Security Extensions) adds a layer of security to your domain by enabling cryptographic validation of DNS responses. This ensures that visitors to your website are protected from DNS spoofing, cache poisoning, and man-in-the-middle attacks.

When DNSSEC is enabled on your domain, DNS resolvers can verify that the DNS records they receive come from an authoritative source and haven’t been tampered with.

How DNSSEC Works with Bunny DNS

Our DNS service supports full DNSSEC signing. Once enabled, your DNS zones are signed using cryptographic signatures, and we provide the necessary DS (Delegation Signer) records for your domain registrar.

Signing Algorithm: We use Algorithm 13 (ECDSA Curve P-256 with SHA-256) for an ideal balance of security and performance.

Key Management: DNSSEC keys are securely managed and automatically rotated.

Denial of Existence: We employ NSEC Black Lies, an advanced privacy-preserving method. This prevents zone enumeration while providing authenticated denial-of-existence responses. NSEC Black Lies avoid exposing actual zone data, ensuring that attempts to list your domain’s DNS records are thwarted.

Steps to Enable DNSSEC

  • Enable DNSSEC within your DNS zone under the Security tab.


  • Copy the DS Record provided after enabling.
  • Add the DS Record through your domain registrar (see setup guides below).

That’s it! Your domain will now serve DNSSEC-signed responses.

Registrar-Specific DNSSEC Setup Guides

Verify DNSSEC deployment

To verify correct deployment of your DNSSEC-enabled zone, make sure that you placed the correct DS record in the parent zone. DNS resolution can fail if either of the following occurs:

  • The configuration is wrong, or you have mistyped it.
  • You have placed the incorrect DS record in the parent zone.

To verify that you have the right configuration in place and to cross-check the DS record before placing it in the parent zone, use the following tools: