What is DNSSEC?
Why Interviewers Ask This
Advanced questions like this reveal whether a candidate has internalized Networking deeply enough to make architectural decisions. Strong answers demonstrate both breadth and depth of experience.
Answer
DNSSEC (DNS Security Extensions) adds cryptographic authentication to DNS to protect against DNS spoofing and cache poisoning attacks. Without DNSSEC, DNS responses can be forged — an attacker can return a fake IP for a legitimate domain. DNSSEC works by digitally signing DNS records using public-key cryptography. The zone owner signs records with their private key; clients can verify using the public key in the DNSKEY record. The chain of trust starts at the DNS root, which signs TLD zone keys (.com, .org), which sign domain zone keys. Resource records: RRSIG — digital signature for a record set, DNSKEY — public key used to verify signatures, DS (Delegation Signer) — hash of a child zone's DNSKEY, creates the chain of trust, NSEC/NSEC3 — authenticated denial of non-existence. DNSSEC validates only integrity and authenticity — it does not encrypt DNS queries (that is DNS-over-HTTPS/TLS). Adoption has been gradual — many major domains still have not fully deployed DNSSEC.
Pro Tip
Back up your answer with a specific project or situation. Saying 'In my last Networking project, I used this when...' immediately makes your answer more credible and memorable.