Cyberattacks are getting smarter. But so are the tools we have to stop them. DNSSEC is one of the most effective ways to protect your customers from domain-based attacks – and yet, it’s still widely overlooked.
If you offer domains to your customers, now is the time to change that.
Let’s break down what DNSSEC is, how it works, and why every reseller should offer it.
What is DNSSEC?
DNSSEC stands for Domain Name System Security Extensions. It is an extension to the DNS protocol that protects your customers by making sure that DNS responses are authentic and haven’t been tampered with.
DNSSEC adds a digital signature to each DNS record. Computers can verify this signature to confirm two things: the record comes from the source you expect, and the data hasn’t been changed. That means you can trust the result and know you’re landing on the right website.
Without DNSSEC, attackers can forge DNS records and redirect users to fake websites – even if they typed in the correct domain name. With DNSSEC’s digital signature enabled, browsers can verify that the response is genuine, not spoofed.
Why adoption is still low
According to the Global Domain Report 2025, DNSSEC adoption remains surprisingly low – especially among gTLDs:
- Only 4% of gTLDs and 3% of new gTLDs use DNSSEC.
- ccTLDs do slightly better, with 13% adoption overall.
- By contrast, SSL certificates are used by more than 60% of domains across all TLD types.
The main reasons for this low adoption? Complexity and lack of awareness.
Setting up DNSSEC can be technical – especially if domain providers don’t support automation. And many end customers don’t even know what it is.
That’s where you come in.
Who’s doing it well?
Some domain registries are leading the way, particularly in Europe. The Global Domain Name Report lists the top ccTLDs using DNSSEC, including:
- .dk – 76.1%
- .se – 71.4%
- .nu – 70%
- .no, .cz, and .nl – all above 60%
Among gTLDs, DNSSEC adoption is still much lower, but a few notable ones stand out:
- .page – 37.5%
- .paris – 26.4%
- .dev – 20%
DNSSEC adoption is possible – and growing – when registries and providers provide education about its benefits.
For example, SIDN, the registry of .nl, has set up a free course about DNSSEC for all accredited .nl registrars. Through an incentive system, they also reward registrars for configuring the domain names they host to support DNSSEC.
Next steps for resellers
As a domain reseller, you can give your customers a head start on security by enabling DNSSEC wherever possible and educating them about its benefits. It shows that you take domain safety seriously and help your customers stay protected from increasingly common DNS spoofing and cache poisoning attacks.
As Bo Pennings, founder of Wux, said in a recent Openprovider Customer Excellence feature, “The best service experiences are those where a provider understands your needs before you even have to ask.”
At Openprovider, DNSSEC is available for all TLDs that support it. Whether you’re managing one domain or thousands, DNSSEC can be enabled directly from our control panel or through API:
- If you use Openprovider’s standard nameservers or Premium DNS nameservers for your domain, it’s a process that just takes a few clicks. Openprovider will take care of signing the zones and publishing the corresponding keys in the registry’s zone files. Of course, if ever you want a zone to be unsigned, you can easily do so, too.
- If you’re using your own nameservers – or a combination of your own nameservers with Openprovider’s slave nameserver – you’ll need to enable DNSSEC on your own nameservers first. Check your nameserver’s documentation for the exact steps. Once your DNS zone is signed, you can submit the DNSSEC keys (up to 4) to the registry via Openprovider’s control panel or API. As soon as the key is published in the registry’s zone file, your domain will be protected by DNSSEC.
Let’s make the internet safer – one domain at a time.
Want to learn more about DNSSEC, DMARC, and other security to protect your customers?
