Red Bridge CyberRed Bridge Cyber
Customer Login
What We CheckHow It WorksPricingResearchAboutBlogCustomer Login
Domain2026-06-12·8 min read

Why 98% of Australian small businesses have no DNSSEC — what it is and how to check yours

98% of Australian small business domains have no DNSSEC. What it protects, why it is off by default, and how to check your own domain in 2 minutes.

RBBy the Red Bridge Cyber team

98% of Australian small business domains do not enable DNSSEC — the single most universal gap at this tier.* DNSSEC adds a cryptographic signature to your DNS records, so the resolver answering a customer’s lookup can verify the answer — your real web address, your real mail server — was published by you and not swapped somewhere in transit. It is missing almost everywhere for 3 plain reasons:

  • it is off by default at every provider
  • a missing signature produces no visible symptom — the website still loads
  • at some providers it costs extra: GoDaddy meters DNSSEC in "credits", with more requiring its paid Premium DNS add-on, while Cloudflare and VentraIP include it at no charge

If your provider includes DNSSEC, turning it on takes minutes. auDA already signs the .au zone itself — your own domain is the only unsigned link left in the chain.

No other finding in our baseline data is this close to universal. Security headers come and go, email authentication is patchy, but DNSSEC is almost uniformly absent: 98% of Australian small business domains do not enable DNSSEC — the single most universal gap at this tier.*

Unlike most of the gaps we measure, this one is usually not the business owner's fault. Nobody ever asked them. DNSSEC is off by default everywhere, produces no symptom when it is missing, and — at some of the world's largest providers — costs extra to turn on. This page explains what it actually protects, why almost nobody has it, what we did about it for our own domains, and how to check yours in about 2 minutes.

What does DNSSEC actually protect you from?

DNS is the internet's directions service. When a customer types your web address, or sends you an email, their device asks a chain of DNS servers where your website and your mail server actually live. The answers that come back are, by default, plain unauthenticated text — the design dates from a time when the internet was a few hundred machines that trusted each other.

That means anyone positioned to tamper with those answers — a poisoned resolver cache, a hostile public wi-fi network, a compromised router — can hand the customer a different answer: an IP address they control instead of yours. The customer's browser still shows your domain name. Mail sent to you can be quietly redirected to someone else's server the same way, by forging the answer for your mail records.

DNSSEC (Domain Name System Security Extensions) fixes exactly this. Your DNS records get a cryptographic signature, and a chain of trust runs from the internet's root zone, through .au, down to your domain. A validating resolver — and the major public ones, including Cloudflare's 1.1.1.1, Google's 8.8.8.8 and Quad9, all validate — checks the signature and refuses to pass on a forged answer. auDA, the administrator of Australia's domain namespace, signs the .au zone itself, so for a .com.au domain the rest of the chain is already in place. Your own domain is the only unsigned link left.

It is worth being equally plain about what DNSSEC does not do. It does not encrypt anything — that is what your TLS certificate does. It does not stop anyone spoofing email from your domain — that is SPF, DKIM and DMARC territory, covered in our guide to free website security scanners. And it does not help if someone takes over your account at the registrar — that is what 2-factor authentication on that account is for. DNSSEC signs the directions to your business; it secures nothing else.

Why do 98% of small businesses not have it?

3 plain reasons, and none of them is negligence.

It is off by default, everywhere. No registrar enables DNSSEC automatically when you buy a domain, and no website builder turns it on for you. Enabling it is always a deliberate act — sign the DNS zone, publish a DS record at the registry — by someone who knows the setting exists. Most small business owners have never heard of it, and there is no reason they would have.

Nothing visibly breaks without it. A domain without DNSSEC resolves exactly like a domain with it, every day, until the day someone forges an answer. There is no warning banner, no browser padlock equivalent, no nagging email. Of the controls we measure in the baseline, it is the purest example of a gap with zero day-to-day symptoms.

And at some providers, it costs extra. GoDaddy — one of the world's most widely used registrars and DNS providers — meters DNSSEC. Its own help page explains that an account gets 5 free "DNSSEC credits", and that "to protect more domains, you can upgrade to Premium DNS for additional DNSSEC credits". Read that sentence again: a digital signature on your DNS records — a setting that costs the provider very little to offer — is packaged as a countable unit that runs out, with the refill sold as a premium upgrade.

Compare the providers that treat it as table stakes. Cloudflare includes DNSSEC on every plan, including the free one — it is a single Enable DNSSEC control in the dashboard. Australian registrar and host VentraIP includes it too — a few clicks in cPanel's Zone Editor, or DS records added through its control panel, at no charge.

When a security feature is sold as a premium add-on, the message a small business hears is that it must be optional — something for bigger companies with bigger budgets. Multiply that message across millions of customers and the 98% stops being surprising.

The question we asked at Red Bridge Cyber

We can speak to this one first-hand, because we used to be a GoDaddy customer. DNSSEC was the reason we stopped.

When we looked at securing our own domains and found that the signatures on our DNS records were metered in credits, the decision in front of us turned out not to be technical at all. It was: do we want to work with providers who treat the integrity of our business as fundamental, or with a provider who wants to charge extra for what we believe is a basic security feature? Asked that way, the question answers itself. We moved all of our business — every domain — to Cloudflare and VentraIP, and DNSSEC on every zone was switched on within minutes of arriving.

For transparency: we pay both providers as ordinary customers and are not part of any affiliate or partner program — our partners page spells out our policy on that. And the result is checkable from the outside: run redbridgecyber.com.au through any DNSSEC checker and you will see the signed chain from .au down to our records.

Should you turn it on?

An honest answer, not a reflexive yes.

First, check what your provider charges. If your registrar or DNS host includes DNSSEC — and Cloudflare, VentraIP and a good number of other providers serving Australian businesses do — then turn it on. It takes minutes, costs nothing, and needs no day-to-day attention afterwards.

If it sits behind a paywall, do not buy it in isolation. Weigh it at your next renewal instead. Transferring a domain or moving DNS hosting is routine, and the Australian market has no shortage of providers that include DNSSEC as standard. Paying an ongoing premium for one security signature is rarely the right spend for a small business.

Keep it in proportion. A forged DNS answer is a far less common attack on a small business than ordinary phishing or a reused password. If you have not yet done the basics in the Australian Cyber Security Centre's small business guide — multi-factor authentication, software updates, backups — those come first. DNSSEC earns its place not because the risk is large but because, when your provider includes it, the cost of closing the gap is as close to zero as security ever gets.

One genuine caution. DNSSEC is the rare control that can take your site offline if it is half-done. If you later transfer the domain or change DNS hosts, the DS record must be removed before the move and re-created after — skip that step and validating resolvers will refuse to resolve your domain until it is fixed. Follow your provider's transfer runbook whenever DNSSEC is on, and treat "enable it and forget which provider holds the keys" as the one way to do this badly.

How to check your own domain in 2 minutes

Paste your domain into DNSViz, a free visualiser run by DNS researchers. It draws the chain of trust from the root, through .au, to your records. An unbroken chain of signed links means DNSSEC is working; a chain that stops at your domain with no signatures means you are in the 98%.

For a live picture of both outcomes, compare 2 domains we operate. clickidy.com — a small business site we run as a demonstration target — shows what the 98% looks like: the delegation arrives at the domain and the signatures stop, exactly as they do for the median Australian small business in the baseline data. redbridgecyber.com.au shows the alternative: every link signed and validating.

Our scan includes the same DNSSEC check as part of its Domain category, alongside the certificate-authority records and the rest of the domain-level record health checks — one more line in the same plain-English report, with the rest of the checks described in free website security scanners explained. 2 minutes either way, and you will know which side of the 98% you are on.

#domain#australian-business#small-business

Continue Reading

View All Articles →
Speed9 min read

Core Web Vitals explained in plain English for small business owners

A plain-English walk-through of the three Core Web Vitals — LCP, CLS and INP — what each means for a real visitor, what counts as good, and the handful of fixes that move them.

2026-06-19
Email9 min read

Free website security scanners explained: what each one checks, and when free is enough

MXToolbox, SSL Labs, PageSpeed Insights, Mozilla Observatory, securityheaders.com, Sucuri SiteCheck — what each free scanner covers, how to read the output, and when the free tools are all you need.

2026-06-10
Security7 min read

SMB1001 certification in Australia: the tiers, the costs, and what the certificate actually proves

Australia's small-business cybersecurity certification, tier by tier: what Bronze through Diamond require, what each costs, the self-attested vs audited split, and what to check before a director signs.

2026-06-13
Security7 min read

What cybersecurity does a small business actually need?

Most small businesses do not need a cybersecurity consultant. Who the enterprise providers actually serve, the 4 questions that matter at 1–30 staff, and when a consultancy is genuinely the right call.

2026-06-12
Speed9 min read

Why your website is slow — and the fixes that actually work

The common reasons small-business sites load slowly — images, render-blocking code, hosting, caching, third-party scripts — each with a free way to confirm it and a plain fix.

2026-06-22
Security7 min read

DISP membership for small business: what the Defence Industry Security Program actually requires

Defence's security membership program explained for small suppliers: the 4 domains, the 4 levels, the Essential Eight Maturity Level 2 cyber bar, what it honestly costs, and what to check before you commit.

2026-06-14