DNSSEC (Domain Name System Security Extensions)

DNSSEC adds cryptographic authentication to DNS responses, preventing DNS spoofing and cache poisoning attacks.

What is DNSSEC?

DNS Security Extensions (DNSSEC) adds cryptographic signatures to DNS responses, allowing resolvers to verify that responses came from authentic sources and haven't been tampered with.

How DNSSEC Works

Zone owners sign DNS records with private keys. Resolvers validate signatures using public keys in the DNS hierarchy, creating a chain of trust from the root.

DNSSEC vs DoH/DoT

DNSSEC: Provides authenticity (prevents spoofing)
DoH/DoT: Provides privacy (prevents eavesdropping)
They complement each other

Common Misconceptions

"DNSSEC encrypts DNS" - Authenticates, doesn't encrypt
"DNSSEC is widely deployed" - Adoption still limited
"DNSSEC breaks things" - Misconfiguration can cause issues