DNS Security Extensions (DNSSEC) is a specification of a set of new extensions to the DNS, through the definition of additional DNS Resource Records, that can be used by DNS clients to validate the authenticity of a DNS response, the data integrity of the DNS response and authenticated denial of existence. This protects the Internet from certain attacks, such as DNS cache poisoning.
To achieve this, DNSSEC defines a number of new DNS Resource Records (RRs), namely the DNSKEY, RRSIG, NSEC and DS RRs. With DNSSEC a zone administrator digitally signs a Resource Record Set (RRSet) with its private key, and publishes this digital signature, along with the zone administrator's public key, in the DNS. On the other hand a DNSSEC client, when checking a DNS response can retrieve the related RRset digital signature and then check this signature using the zone administrator's public key, which already leads to a point of trust. If all these checks succeed then the client has some confidence that the DNS response was complete and authentic. More information is available here:
Configure your zone as a DNSSEC enabled zone
Gauss Research Laboratory, Inc.
© All Rights Reserved 1986 - 2016