DNSSEC

DNSSEC (Domain Name System Security Extensions) adds public-key signatures to DNS records, allowing a validating resolver to confirm that an answer truly came from the authoritative zone and has not been altered in transit. Each zone publishes a DNSKEY and signs its resource records with RRSIG records, while DS records in the parent zone create a chain of trust up to the signed root. DNSSEC defends against DNS cache poisoning, on-path tampering, and spoofed answers from rogue resolvers. It does not encrypt queries — confidentiality requires DoH or DoT — but it is a critical building block for trustworthy name resolution and downstream protocols like DANE.