For more information on this, refer here: https://www.icann.org/resources/pages/dnssec-qaa-2014-01-29-en
DNSSEC is intended to protect against ‘man-in-the-middle’ DNS spoofing attacks and ‘cache poisoning’ by ensuring DNS information is validated cryptographically before end-users traffic are directed to a website.
Most DNS resolvers also cache the returned IP address to speed up responses for future queries for the same domain name, either from the same user or other users. Therefore, if an attacker has managed to trick the DNS resolver to accept a fake IP address, the fake IP address is now cached by the DNS resolver. This is known as ‘cache poisoning’. When there are subsequent queries of the same domain name by other users (e.g. other users on the same ISP), they will now be re-directed to the fake IP address as they are receiving the cached, and incorrect, IP address as opposed to the legitimate website’s IP.
Be aware that DNSSEC implementation can be rather complex. For example, technical complexities could arise should owners wish to change DNS hosting providers.
Owners should also evaluate and confirm if their DNS hosting provider is technically capable to handle the complexities of cryptographic key generation, signing and key rollover processes.
Should any of these steps be implemented improperly, it could disrupt user’s access to the website.
Such considerations may have additional effects for owners, such as potentially higher fees for a DNSSEC-enabled domain name.
- If “Signed” is displayed, it means the domain name has been DNSSEC enabled.
- If “Unsigned” is displayed, it means the domain name has not enabled DNSSEC yet.

Once a .SG domain is DNSSEC-enabled, end-users who have DNSSEC-enabled DNS resolvers (usually, enabling DNSSEC on DNS resolvers will occur on the ISP’s backend) will be able to validate the data, thus seamlessly protecting end-users.
To enable DNSSEC of your .SG domain name, you need to perform the following steps:
a) Confirm that your DNS hosting provider and sponsoring registrar of your .SG domain name both support DNSSEC;
Contact your DNS hosting provider and sponsoring registrar to find out if they support DNSSEC. DNSSEC cannot be enabled if either your DNS hosting provider or sponsoring registrar does not support DNSSEC.
b) Sign the DNS zone file of your .SG domain name; and
Request your DNS hosting provider to perform the DNSSEC signing for your .SG domain name. Your DNS hosting provider will then provide you with the Delegation Signer (DS) record for your domain name.
c) Submit Delegation Signer (DS) records to SGNIC via your sponsoring registrar.
Submit the Delegation Signer (DS) record to your sponsoring registrar. Your sponsoring registrar will submit the record to SGNIC. SGNIC will then publish your DS record to complete the DNSSEC enabling process.
Click on this link http://www.dnssec-bogus.sg to access a website where DNSSEC has been deliberately misconfigured. If the user can see the contents of the page (sample screenshot below), it means the user’s DNS resolver is not DNSSEC-aware.
If the user’s DNS resolver is DNSSEC-aware, the user will not be able to reach the web site because the IP address will not be returned. Instead the user will see his browser’s error message page (e.g. Sample screenshots below).
Chrome:
Internet Explorer v11:
Edge:
Safari:
- Google Public DNS (8.8.8.8 and 8.8.4.4)
- Verisign Public DNS (64.6.64.6 and 64.6.65.6)
An end user can also check with his ISP on whether they are running DNSSEC-aware DNS resolvers.