DNSSEC adds cryptographic signatures to DNS records — allowing resolvers to verify records haven't been tampered with. Prevents DNS cache poisoning and MITM attacks on DNS.
DNSSEC provides integrity, not confidentiality (records are still visible). DNS over HTTPS/TLS provides privacy. Cache poisoning (Kaminsky attack) exploits unsigned DNS — DNSSEC prevents this. Many high-value domains still haven't deployed DNSSEC — significant security gap.