What is DNSSEC?
D3 ยท Architecture ยท CompTIA Security+ SY0-701DNSSEC (Domain Name System Security Extensions) adds cryptographic digital signatures to DNS records, allowing resolvers to verify that DNS responses are authentic and haven't been tampered with โ preventing DNS cache poisoning and spoofing.
How it works: DNS zone data is signed with a private key. Resolvers use the corresponding public key (published in the DNS) to verify record signatures. A broken chain of trust = record rejected.
DNSSEC does NOT encrypt DNS queries โ it only provides authentication/integrity. DNS over HTTPS (DoH) and DNS over TLS (DoT) provide encryption.
How it works: DNS zone data is signed with a private key. Resolvers use the corresponding public key (published in the DNS) to verify record signatures. A broken chain of trust = record rejected.
DNSSEC does NOT encrypt DNS queries โ it only provides authentication/integrity. DNS over HTTPS (DoH) and DNS over TLS (DoT) provide encryption.
DNSSEC prevents DNS cache poisoning but doesn't provide confidentiality. DoH (port 443) and DoT (port 853) encrypt DNS queries. DNSSEC + DoH/DoT together provide both integrity and confidentiality for DNS. DNSSEC is the exam answer for preventing DNS spoofing/cache poisoning.