what is dnssec

DNSSEC stands for Domain Name System Security Extensions. It is a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data in the Domain Name System (DNS). DNSSEC adds a layer of security by enabling authenticated answers on top of an otherwise insecure DNS. It provides cryptographic authentication of data, authenticated denial of existence, and data integrity, but not availability or confidentiality. DNSSEC uses a system of public keys and digital signatures to verify data. It simply adds new records to DNS alongside existing records. These new record types include RRSIG (resource record signature), DNSKEY, and DS (delegation signer). DNSSEC helps prevent attackers from manipulating or poisoning the responses to DNS requests. Enabling DNSSEC validation in recursive resolvers is easy and has been supported by nearly all common resolvers for many years. Many third- party DNS hosting providers also support DNSSEC. Usually, enabling DNSSEC for a zone with a hosting provider is quite easy: often it entails little more than clicking a check box. For a zone owner to deploy DNSSEC by signing their zone's data, that zone's parent, and its parent, all the way to the root zone, also need to be signed for DNSSEC to be as effective as possible.