The Trust Gap in Plain DNS
DNS turns names into addresses, but classic DNS responses are unauthenticated. A resolver cannot tell a genuine answer from a forged one, so an attacker who can inject a reply may perform cache poisoning, sending users to a server they control.
What DNSSEC Adds
DNSSEC signs DNS records with public key cryptography. Each zone signs its records, and a chain of trust runs from the root zone down to the domain. A validating resolver checks the signatures and rejects answers that fail.
- Records are signed, so tampering is detectable.
- The chain links each zone signature to its parent, ending at a trusted root key.
- DNSSEC proves authenticity and integrity, not confidentiality.
What It Does Not Do
DNSSEC does not encrypt queries. Anyone on the path can still see which names you look up. For privacy you add DNS over TLS or DNS over HTTPS, which encrypt the transport. The two protections are complementary.
Key idea
DNSSEC signs DNS records along a chain of trust to the root, defeating forged answers and cache poisoning, but it adds authenticity not privacy, so pair it with encrypted DNS transport.