DNSSEC
What is DNSSEC?
DNSSECA set of DNS extensions that uses digital signatures to let resolvers verify the authenticity and integrity of DNS records.
DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records so that resolvers can prove a response came from the legitimate zone and was not tampered with in transit. Each zone signs its records with a private key and publishes the corresponding public key in DNSKEY records, while a chain of trust is built up from the root zone through DS records at every delegation. Validating resolvers reject responses with bad or missing signatures, which defeats DNS cache poisoning and on-path spoofing. DNSSEC does not provide confidentiality and must be combined with DoH or DoT to hide queries from observers.
● Examples
- 01
A bank signs its zone so resolvers reject forged A records returned by a poisoned cache.
- 02
Top-level domain registries publish DS records to anchor the chain of trust for delegated zones.
● Frequently asked questions
What is DNSSEC?
A set of DNS extensions that uses digital signatures to let resolvers verify the authenticity and integrity of DNS records. It belongs to the Network Security category of cybersecurity.
What does DNSSEC mean?
A set of DNS extensions that uses digital signatures to let resolvers verify the authenticity and integrity of DNS records.
How do you defend against DNSSEC?
Defences for DNSSEC typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for DNSSEC?
Common alternative names include: DNS Security Extensions.