What is DNSSEC?
DNSSEC (short for DNS Security Extensions) adds security to the Domain Name System. DNSSEC was designed to protect the Internet from certain attacks, such as DNS cache poisoning (discovered by Dan Kaminsky). It is a set of extensions to DNS, which provide: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence.
These mechanisms require changes to the DNS protocol. DNSSEC adds four new resource record types: Resource Record Signature (RRSIG), DNS Public Key (DNSKEY), Delegation Signer (DS), and Next Secure (NSEC). These new RRs are described in detail in RFC 4034.
DNSSEC services protect against most of the threats to the Domain Name System. There are several distinct classes of threats to the Domain Name System, most of which are DNS-related instances of more general problems, but a few of which are specific to peculiarities of the DNS protocol.
Note that DNSSEC does not provide confidentiality of data. Also, DNSSEC does not protect against DDoS Attacks.
For more details introductory information on DNSSEC go here.
