By default, DNS is text-based and unauthenticated. If I can inject a fake response faster than the real DNS server, I can redirect your "google.com" traffic to my phishing site. This is Cache Poisoning. DNSSEC (Domain Name System Security Extensions) fixes this by digitally signing the records.
The Chain of Trust
Trust anchors from the top down.
1. You trust the Root Zone (.) (Keys managed by ICANN).
2. The Root signs the key for .COM.
3. .COM signs the key for GOOGLE.COM.
If any link breaks, the validation fails (SERVFAIL).
1. New Record Types
DNSSEC adds complexity.
| Record | Name | Role |
|---|---|---|
| RRSIG | Resource Record Signature | The digital signature itself. "This A record is signed by Key ID 12345." |
| DNSKEY | DNS Public Key | The public key used to verify the signature. |
| DS | Delegation Signer | The hash of the child's key, stored at the parent zone. This links the chain. |
2. How it works (The Resolver)
When you ask Google (8.8.8.8) to resolve "whoisnexus.com":
1. Google asks .COM servers.
2. Google gets the answer + the RRSIG.
3. Google fetches the Public Key (DNSKEY).
4. Google does the math. Does Hash(Data) == Signature?
5. Google checks the parent (.COM) to verify the child's key is valid (DS record).
If all math is correct, you get the IP. If not, you get an error.
3. NSEC vs NSEC3 (Zone Walking)
DNSSEC has a side effect. It must prove that a domain does not exist (NXDOMAIN).
NSEC: "apple.com exists. The next domain alphabetically is banana.com."
This proves that "avocado.com" does not exist because it's between apple and banana.
Vulnerability: A hacker can query NSEC records to walk the entire zone file and list every subdomain you have.
Fix (NSEC3): Hashes the names. "Hash(apple) exists. Next hash is Hash(banana)." You can't guess the names.
4. Why isn't everyone using it?
1. Complexity: If you rotate keys incorrectly, your domain disappears from the internet.
2. Packet Size: DNSSEC packets are huge (>512 bytes). They require EDNS0 and can be used for DDoS Amplification attacks.
3. Cost: It requires more CPU processing for resolvers.
Implementation
Most registrars (Namecheap, GoDaddy, Cloudflare) now make this one-click.
Enable DNSSEC. The registrar generates the keys and uploads the DS record to the TLD operator automatically.