A Very Short Guide to DNSSEC with Demo on Namecheap

Enable DNSSEC option

In Namecheap it is just one click option

Namecheap > Domain List > Your domain > Advanced DNS

Expected Result : RRSIG, DNSKEY and DS Records

When you query for the domain you will further see RRSIG record at the resolver and DS record on the top-level-domain

Also you can query the public key for verification as DNSKEY

How it work — Multiple Public-Private Key Signer

Each DNS record TYPE (e.g., A) and NAME (e.g., foo.example.com) is called RRSET (Resource Record Set)

RRSET → 2 keys signed → RRSIG

This is normal Public-Private key signing mechanism with 2 keys combined

1. ZSK — Zone signing key
   Initial key pair by server, send public DNSKEY to client.
2. KSK — Key signing key
   2.1. Initial key pair by server
   2.2. Send the public key to signed at TLD (top-level-domain e.g., .com,, .org)
   2.3. TLD store public part of double signed key as DS record
   2.4. Server send back public DNSKEY to client

Now you got 2 keys to verify the validity of DNS record.