DNS servers are like the Internet's phone book, they allow your computer to convert the name that you type into your browser, such as, and get back the Internet Protocol address of the server for that domain. These hostnames are used for all sorts of things on the Internet, not just websites, and until recently there was no way of verifying the information that you computer received from the DNS system was what was actually sent, it could have been modified on the way.

DNSSEC is a system where the DNS servers for a domain can digitally sign it's responses to questions, and the computers asking the questions (your PC) can verify that the digital signature matches the response and hasn't been altered or faked.

The actual mechanism to provide and verify the trust is quite complicated, replying on Public Key Cryptography, if you want to know more about this, the Wikipedia page on DNS Security Extensions is a good start. Luckily you don't need to in order to use the system.

AFOYI's support of DNSSEC is in two parts. The first part of our support for DNSSEC is that our recursive name servers (those that our hosting client's servers use as a proxy for asking the questions) fully support validating DNSSEC responses that are received.

The second part is that our authoritative name servers (those that answer questions) support signing the responses they send to clients. This is, unfortunately at this time, not a completely automated process as the initial master Key Signing Key (KSK) needs to be manually generated for the encryption. (KSK rollover is also a manual process at present - this only needs to be done once every 12 months). Once the KSK is set up, out systems automatically generate a new Zone Signing Key (ZSK) every month and resigns the zone every 24 hours using the latest key.

Our DNS Manager also supports adding DS records to any zone, which allows any DNSSEC enabled zone to delegate authority for signing children zones to another set of name servers. This is typically only required in large educational or commercial environments with different domain divisions.