methodology / Security & Infrastructure / #22
DNSSEC validation
#22 · Recommended · Web Quality · weighted · Security & Infrastructure · weight 1.3% · impl implemented · method v1.2.0
Web Quality factor
This factor is part of Web Quality — the weighted 0..100 score that sits above Web Standards. Its weight depends on what kind of site is being measured. Web Standards items take priority; this factor only enters the score once Web Standards passes.
- Base weight
- 0.7 applied to every site type unless overridden below
- Why this weight
- DNSSEC stops cache-poisoning attacks. Higher relevance for institutions whose visitors are most targeted by spoofing.
Per-site-type overrides
| Site type | Weight | Δ vs base |
|---|---|---|
| E-commerce | 1.0 | +0.3 |
| Education | 1.0 | +0.3 |
| Government | 1.2 | +0.5 |
Site types not listed inherit the base weight.
What this means for your business
An extra signature on your domain settings that stops attackers on shared WiFi or shady networks from rerouting your customers to a fake version of your site. Most domain registrars offer it as a one-click toggle.
Plain title: Your domain can't be quietly hijacked
What we measure
DNSSEC cryptographically signs your DNS records so attackers can't forge them. Without it, your visitors can be redirected to malicious sites via DNS hijacking.
How to improve your score
Enable DNSSEC at your registrar / DNS provider. Cloudflare, Google Domains, and most modern providers support it with one click.
Implementation
stale · v1 · seeded — no connector publish yet · source: freshcoat-discovery/src/connectors/dns-email-security.ts:scoreDnssec
Detection method
Cloudflare DoH JSON query for the apex with DO bit set. Pass on AD bit OR DS record OR DNSKEY record presence. Soft fail when none of those signals fire (means the zone isn't signed).
Detection sources
- Cloudflare DoH JSON API (DS + DNSKEY queries with DO=1)
Scoring bands · soft ladder
| Score | Condition |
|---|---|
| 100 | AD bit set or DS+DNSKEY records present (validated chain) |
| 75 | DS present but no AD bit (signed but parent chain didn't validate) |
| 30 | no DS record |
Evidence-key dictionary
What every notes string the connector emits means.
Surfaces in the per-domain dossier evidence column.
validated- DS or DNSKEY found and validated.
no_ds_record- Zone has no DNSSEC delegation.
Applicability
Recommended. DNSSEC stops cache-poisoning attacks. Higher weight for institutions whose visitors are most targeted by spoofing (gov 1.2, ecommerce 1.0).
Changelog
- 2026-04-29 · seed Initial seed from MethodologyRegistry bootstrap.
Facts
Implementation notes
Add DS record check to probe stage.
When this applies
This platform doesn't let site owners edit DNS records, so DNSSEC can't be enabled.
- Marked n/a when the detected platform doesn't support canEditDns (e.g., Squarespace and Wix can't set custom HTTP headers, so factor #4 becomes n/a there).
Scoring
Scoring formulas are versioned with the methodology. The current method (v1.2.0) maps raw measurements to pass, warn, fail. Factor weights determine how much each contributes to the composite — see the methodology index for the full table.
Cited by these standards
Standards in the Standards Library whose satisfiedBy requirement tree references this factor. Each link goes to the standard's full entry — methodology, scope, and the other factors it relies on.
Version history
| Version | Change | Date |
|---|---|---|
| v1.2.0 | Factor introduced. Status: live. Scoring impl: implemented. | 2026-04-25 |