DNSSEC specifications suffer from semantic ambiguities and design flaws, rendering traditional “break-and-fix” approaches inadequate for systematic security assurance. This paper introduces DNSSECVerif, the first fully automated formal verification framework for DNSSEC. It enables high-fidelity modeling and symbolic verification—using the SAPIC protocol verifier—of the entire DNSSEC protocol stack, including cryptographic operations, stateful caching, and concurrent resolution logic. We formally prove four core security properties and uncover standard-level ambiguities, such as insecure coexistence of NSEC and NSEC3. DNSSECVerif automatically reproduces three known attack classes, exposing fundamental protocol weaknesses. Empirical validation across 2.2 million open resolvers and targeted testing of mainstream implementations confirm real-world impact. Based on our findings, we propose actionable specification refinements and implementation hardening measures.

The Domain Name System Security Extensions (DNSSEC) are critical for preventing DNS spoofing, yet its specifications contain ambiguities and vulnerabilities that elude traditional "break-and-fix" approaches. A holistic, foundational security analysis of the protocol has thus remained an open problem. This paper introduces DNSSECVerif, the first framework for comprehensive, automated formal security analysis of the DNSSEC protocol suite. Built on the SAPIC+ symbolic verifier, our high-fidelity model captures protocol-level interactions, including cryptographic operations and stateful caching with fine-grained concurrency control. Using DNSSECVerif, we formally prove four of DNSSEC's core security guarantees and uncover critical ambiguities in the standards--notably, the insecure coexistence of NSEC and NSEC3. Our model also automatically rediscovers three classes of known attacks, demonstrating fundamental weaknesses in the protocol design. To bridge the model-to-reality gap, we validate our findings through targeted testing of mainstream DNS software and a large-scale measurement study of over 2.2 million open resolvers, confirming the real-world impact of these flaws. Our work provides crucial, evidence-based recommendations for hardening DNSSEC specifications and implementations.