What is DNSSEC and why it is important

DNSSEC (that stands for Domain Name System Security Extensions) represents a significant advancement in Internet security, providing a mechanism to verify the authenticity and integrity of DNS data for a domain name (such as paypal.com). DNSSEC adds cryptographic signatures into DNS records to prevent threat actors from tampering DNS responses with DNS cache poisoning, DNS spoofing, and man-in-the-middle attacks. DNSSEC records should be present in domains of banks, payments gateways, gov and edu domains.

As said above, DNSSEC ensures that users are directed to the legitimate website, mitigating the risk of phishing and domain hijacking. It adds digital signatures to the domain DNS records, augmenting them with cryptographic authenticity. So then when a DNS resolver queries a domain name, it receives the requested records along with their associated signatures. By validating these signatures against the public keys stored in DNSKEY records, the DNS resolver can verify the legitimacy of the received DNS data.

New DNS records types added are RRSIG, DNSKEY, DS (Delegation Signer), NSEC/NSEC3.

Example DNSSEC records of a domain name

Here is an example domain (paypal.com) that incorporates DNSSEC: