DNSKEY
Standard DNS has no built-in way to verify that a response actually came from the authoritative server for a domain. An attacker could return a forged answer, and a resolver would have no way to detect it.
DNSSEC ↗ solves this by adding cryptographic signatures to DNS records. Domain owners sign their DNS records with a private key, and resolvers like 1.1.1.1 verify those signatures using the corresponding public key. This proves the response is authentic and has not been modified in transit.
DNSSEC uses two DNS record types to distribute the public keys needed for verification:
- DNSKEY records contain the public signing keys for a domain.
- DS (Delegation Signer) records link a child zone's keys to its parent zone, creating a chain of trust.
Resolvers use these keys to verify the signatures stored in RRSIG records ↗.
1.1.1.1 supports the following DNSSEC signature algorithms:
- RSA/SHA-1
- RSA/SHA-256
- RSA/SHA-512
- RSASHA1-NSEC3-SHA1
- ECDSA Curve P-256 with SHA-256 (ECDSAP256SHA256)
- ECDSA Curve P-384 with SHA-384 (ECDSAP384SHA384)
- ED25519