For many websites, the DNS service built into Plesk works perfectly well. This isn't about Plesk doing a bad job. It's about a dependency most operators don't examine until it becomes a problem. DNS stays where it was first configured because it rarely causes day-to-day issues. The risk only becomes visible when something goes wrong.
When DNS is hosted on the same server as your websites, applications and email, you create a dependency that doesn't need to exist. If that server experiences an outage, maintenance window or network issue, DNS goes down with it. Users can't reach your site, not because your site is down, but because the layer beneath it is.
deSEC removes that dependency. Your websites remain exactly where they are today, hosted on your VPS and managed through Plesk. DNS moves onto infrastructure built specifically for DNS hosting, answered from a globally distributed Anycast network rather than a single server. If your VPS has a problem, DNS doesn't.
| deSEC | Plesk DNS | |
|---|---|---|
| Infrastructure | Dedicated DNS, globally distributed Anycast | Hosted on the same VPS as your websites |
| DNSSEC | Automatic signing for all hosted zones | Requires manual configuration and management |
| Dependency | Separate from your VPS | Shares your VPS resources and availability |
| Cost | Free | Included with Plesk |
| Open source | Yes - code is publicly reviewable | No |
| Operating Material | Non-profit, security mission | Commercial |
For most customers, the value is straightforward: separating DNS from your VPS removes an unnecessary dependency without changing how your websites, applications or email are hosted.
According to APNIC statistics, fewer than 7% of domains have DNSSEC configured despite the technology existing for more than two decades. Administrators generally do not avoid DNSSEC because they disagree with the security benefits. They avoid it because deployment has traditionally introduced management overhead that many teams do not prioritise. deSEC removes that friction. Zones are signed automatically, with no separate service to purchase or configure. The only remaining step is publishing the DS record at your registrar to complete the chain of trust.
DNS performance is not the same everywhere. A DNS query answered from a single VPS datacentre may deliver very different results for users in London, Singapore, or São Paulo. Geography directly affects latency. deSEC uses a globally distributed Anycast network that answers queries from multiple locations around the world, improving consistency and reducing the single-location dependency that often exists when DNS is hosted alongside applications or websites.
deSEC is a German non-profit operating under European regulatory frameworks, including GDPR. Unlike many commercial DNS providers, it was not created to monetise DNS services or drive upsell opportunities. DNSSEC, a global Anycast network, and open-source software are included as standard because the goal is improving internet security and resilience. deSEC also participates in DNS4EU, reflecting its broader mission to strengthen European DNS infrastructure and trust.
Your websites, applications and email stay exactly where they are today. deSEC only changes where DNS is hosted and answered - everything else continues to be managed through Plesk as normal.
That gives you:
Enable deSEC through the Layershift Extensions Catalogue
Install deSEC directly from the Plesk Extension Catalogue
Follow our step-by-step setup guide: deSEC Integration with Plesk
deSEC is a free, open-source, non-profit DNS hosting provider based in Berlin, Germany. It provides separate DNS infrastructure with automatic DNSSEC signing and globally distributed Anycast DNS. Unlike commercial DNS providers, deSEC operates as a non-profit funded by donations, with a mission to make secure DNS easier to deploy without putting core security features behind paid plans.
DNSSEC (Domain Name System Security Extensions) adds cryptographic validation to DNS records. Without it, DNS responses cannot be verified as genuine - they can be intercepted or spoofed in transit without any visible indication. DNSSEC allows systems to confirm that a DNS response came from the authoritative source and has not been tampered with along the way.
deSEC integrates with Plesk through the deSEC DNS extension, available in the Layershift Extensions Catalogue and the Plesk Extension Catalogue. Once installed, your DNS zones are hosted on deSEC's dedicated infrastructure while you continue managing your websites and applications through Plesk as normal. No changes to your hosting setup are required.
deSEC differs from commercial DNS providers in three ways: it is a non-profit, its security features including DNSSEC are not paywalled, and its software is open source. It does not compete on features or pricing tiers - its purpose is improving DNS security adoption rather than growing market share or upselling customers to premium plans.
Yes. DNSSEC signing is enabled automatically for all zones hosted on the platform - there is no manual configuration required on the deSEC side. A DS record must still be configured at your domain registrar to complete the chain of trust. Without this final step, the DNSSEC chain cannot be validated end-to-end.
Yes. deSEC is free to use and funded entirely through donations and sponsorship. There are no paid tiers, no premium plans, and no paywalls on security features such as DNSSEC. The free service is the full service - there is no commercial version with additional capabilities withheld from free users.Yes. DNSSEC signing is enabled automatically for all zones hosted on the platform - there is no manual configuration required on the deSEC side. A DS record must still be configured at your domain registrar to complete the chain of trust. Without this final step, the DNSSEC chain cannot be validated end-to-end.
No. Your websites, applications and email remain hosted exactly where they are today - on your Layershift Managed VPS, managed through Plesk. deSEC replaces only the DNS hosting component. For most customers, the transition is uneventful. The change is simply that DNS is no longer relying on the same infrastructure it is directing traffic towards.
Because DNS hosting and web hosting are different jobs, and putting them on the same server creates a dependency that doesn't need to exist. deSEC solves that cleanly, it's free, and it makes DNSSEC straightforward to deploy - without adding operational complexity or requiring changes to how your websites are hosted.
