DNSSEC not enabled (no DS records)

DNSSEC adds a cryptographic signature to your domain DNS records so visitors can trust that the address they reached is genuinely yours. Your domain does not have it enabled. Without DNSSEC, an attacker who poisons a DNS cache could quietly send your visitors to a fake copy of your site to steal logins or payments. It is low-probability but high-impact. Enable DNSSEC at your DNS provider — usually a one-click toggle on Cloudflare, Route 53 or Google Domains. If your registrar is separate, copy the DS record it gives you into the registrar DNSSEC settings.

Why this matters

Without DNSSEC, an attacker who poisons a DNS cache could quietly send your visitors to a fake copy of your site to steal logins or payments. It is low-probability but high-impact.

How to fix it

Enable DNSSEC at your DNS provider — usually a one-click toggle on Cloudflare, Route 53 or Google Domains. If your registrar is separate, copy the DS record it gives you into the registrar DNSSEC settings.