What is DNSSEC?

Answer

DNSSEC (DNS Security Extensions) adds cryptographic authentication to DNS to protect against DNS spoofing and cache poisoning attacks. Without DNSSEC, DNS responses can be forged — an attacker can return a fake IP for a legitimate domain. DNSSEC works by digitally signing DNS records using public-key cryptography. The zone owner signs records with their private key; clients can verify using the public key in the DNSKEY record. The chain of trust starts at the DNS root, which signs TLD zone keys (.com, .org), which sign domain zone keys. Resource records: RRSIG — digital signature for a record set, DNSKEY — public key used to verify signatures, DS (Delegation Signer) — hash of a child zone's DNSKEY, creates the chain of trust, NSEC/NSEC3 — authenticated denial of non-existence. DNSSEC validates only integrity and authenticity — it does not encrypt DNS queries (that is DNS-over-HTTPS/TLS). Adoption has been gradual — many major domains still have not fully deployed DNSSEC.