We have now upgraded our nameserver clusters in both the UK, and the USA to support DNSSEC.
We have changed our DNS clusters to use PowerDNS as opposed to BIND, which also has some performance benefits on the resolution of domains.
DNSSEC strengthens authentication in DNS using digital signatures based on public key cryptography. With DNSSEC, it's not DNS queries and responses themselves that are cryptographically signed, but rather DNS data itself is signed by the owner of the data.
Every DNS zone has a public/private key pair. The zone owner uses the zone's private key to sign DNS data in the zone and generate digital signatures over that data. As the name "private key" implies, this key material is kept secret by the zone owner. The zone's public key, however, is published in the zone itself for anyone to retrieve. Any recursive resolver that looks up data in the zone also retrieves the zone's public key, which it uses to validate the authenticity of the DNS data. The resolver confirms that the digital signature over the DNS data it retrieved is valid. If so, the DNS data is legitimate and is returned to the user. If the signature does not validate, the resolver assumes an attack, discards the data, and returns an error to the user.
DNSSEC adds two important features to the DNS protocol:
Data origin authentication allows a resolver to cryptographically verify that the data it received actually came from the zone where it believes the data originated. Data integrity protection allows the resolver to know that the data hasn't been modified in transit since it was originally signed by the zone owner with the zone's private key. cPanel users can create, manage, or delete their domains’ DNSSEC keys in cPanel’s Zone Editor interface (cPanel >> Home >> Domains >> Zone Editor).
To validate the DNSSEC configuration for a domain, use Verisign’s DNSSEC Anaylzer website - https://dnssec-analyzer.verisignlabs.com/