Not all domains or servers can use DNSSEC. For it to work, every "link" in the chainfrom your nameservers to the central registrymust support these security signatures.
As of 2026, DNSSEC adoption is high among major registries, but technical complexity still prevents it from being universal.
TLD Support for DNSSEC
A TLD (Top-Level Domain) must be "signed" at the root level for you to enable DNSSEC.
Supported TLDs (The Majority)
Over 90% of TLDs now support DNSSEC. This includes:
-
Generic TLDs:
.com,.net,.org,.biz,.info. -
Major Country Codes:
.uk,.au,.ca,.de,.eu. -
New gTLDs: Most modern extensions like
.app,.dev,.shop, and.xyzhave DNSSEC support built-in from day one. In fact, some (like.bankor.trust) require DNSSEC to be active.
Unsupported TLDs
While rare, some TLDs still do not support DNSSEC due to legacy infrastructure or regional restrictions.
-
Small ccTLDs: Some smaller island nations or developing regions may not have upgraded their registries yet.
-
Specialty Domains: A handful of older, specialized extensions.
Nixzoehost Tip: You can check the current status of any extension by looking at the IANA Root Zone Database. If you don't see a "DS" record listed for a TLD, you cannot enable DNSSEC for it.
Nameserver Support
Even if the TLD supports it, your Nameservers must be able to handle the cryptographic signing.
1. Using Nixzoehost Nameservers
When you use our default nameservers, we handle the complex key management for you. We support DNSSEC for all major TLDs we offer. You simply toggle it on, and our servers generate the digital signatures automatically.
2. Using 3rd Party Nameservers
If you point your domain away from Nixzoehost, the security responsibility shifts to that provider:
-
Supported: Google Cloud DNS, Cloudflare, AWS Route 53, and DigitalOcean Nameservers all have robust DNSSEC support.
-
Often Unsupported: Some budget hosting providers or older ISP-provided nameservers do not support DNSSEC signing.
The "Chain of Trust" Requirement
For DNSSEC to be "Secure," the chain must be unbroken. If any part of this list is missing, DNSSEC will not function:
-
The Registry (TLD): Must accept and publish your "DS Record."
-
The Registrar (Nixzoehost): Must provide a way to submit that DS Record to the registry.
-
The DNS Provider (Nameservers): Must sign your zone with a private key and provide the public key.
-
The Visitor's Resolver: The person visiting your site must be using a DNS resolver (like Google 8.8.8.8 or Cloudflare 1.1.1.1) that actually checks for these signatures.
What happens if a Nameserver doesn't support it?
If you try to enable DNSSEC on a nameserver that doesn't support it, your domain will experience a "Validation Failure." Secure browsers will see that a signature is expected but missing/invalid, and they will block your site entirely to protect the user.