Setting up DNSSEC
We've signed our zones. — DNSSEC is now protecting the DNS records behind our sovereign email hosting. This allows for those email clients that can do DANE.
DNS is the phone book of the internet, and for a long time it had no way of proving that an answer you received was the answer the domain owner actually published. DNSSEC — DNS Security Extensions — closes that gap by cryptographically signing DNS records, so a resolver can verify that a response has not been tampered with in transit.
For an email host this matters a great deal. Records like MX, SPF, DKIM, and DMARC are what other mail servers rely on to decide whether they trust mail from our domains. If an attacker can forge those answers, they can redirect or spoof mail. DNSSEC gives recipients a way to be confident that the records they see are genuinely ours.
How DNSSEC works
DNSSEC builds a chain of trust from the root zone down to your
domain. Each zone signs its records with a private key and
publishes the matching public key as a DNSKEY
record. The parent zone vouches for that key by publishing a
DS (Delegation Signer) record — a hash of your
key — in its zone. A validating resolver walks
this chain from the root, and if every link verifies, the answer
is trusted.
- ZSK — Zone Signing Key, used to sign the records in the zone.
- KSK — Key Signing Key, used to sign the ZSK and referenced by the DS record.
- RRSIG — the signatures over each record set.
- DS — the record you hand to your registrar to complete the chain.
What we did
We signed each of our email domains, published the resulting
DNSKEY records, and submitted the corresponding
DS record to the registrar so the parent zone points
at our keys. Once the DS record propagated, the chain of trust
was complete and validating resolvers began verifying our
answers.
Verifying it works
A quick way to confirm the chain validates is to query with
dig and look for the ad (authenticated
data) flag:
dig +dnssec DS sverige.email @1.1.1.1dig +dnssec DNSKEY sverige.email
The Verisign DNSSEC Analyzer tool is also excellent for visualising the chain of trust and catching problems.
Why it fits our mission
Sovereign, trustworthy email is not just about where the servers sit — it's about integrity end to end. DNSSEC is one more piece of Free Software infrastructure that lets our users, and the servers they exchange mail with, trust that what they see is genuinely what we published.
Many thanks to the folks at deSEC.io as they make it their mission to get everyone using DNSSEC. We sponsor them and all the Free Software we use.