What is this
DNSSEC cryptographically signs your DNS responses. Resolvers verify the signature before handing the answer to the user. Without DNSSEC a forged DNS response (cache poisoning) is hard to detect.
Why it matters
An attacker who can forge DNS can divert traffic for your brand to a fake site or mail server. DNSSEC closes that off, and is mandatory in some procurement processes and .gov-style scenarios.
How to fix it
TransIP: Open Domains > your domain > DNSSEC. Click Enable DNSSEC. TransIP places the DS record at the registry automatically.
CloudFlare: DNS > Settings > Enable DNSSEC. Copy the DS record and add it at your registrar (some NL registrars sync this via API).
Strato or Antagonist: Find the DNSSEC toggle in the customer panel under DNS settings. Enable it, wait a few minutes, then add the DS at an external registrar if needed.
Other: Activate DNSSEC at your DNS host. Copy the DS record (Key Tag, algorithm, digest type, digest) and place it with your registrar.
Verify
DNSViz shows the chain of trust visually. Or run dig DS yourdomain.com +short and dig DNSKEY yourdomain.com +short. Green checkmark or valid DS = good.