100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

What is DNSSEC?

Learn what DNSSEC is, how signature chains verify DNS responses, and why it stops cache poisoning — with interview Q&A.

hardQ206 of 224 in Computer Networks Est. time: 6 minsLast updated:
Open Code Lab

Expected Interview Answer

DNSSEC (Domain Name System Security Extensions) is a set of extensions to DNS that adds cryptographic signatures to DNS records so a resolver can verify a response actually came from the legitimate authoritative source and was not tampered with in transit.

DNSSEC works by having each zone sign its records with a private key, producing RRSIG signature records alongside the normal answers; a validating resolver checks that signature against the zone’s published public key (DNSKEY record). Trust is chained upward through a series of DS (Delegation Signer) records from parent zone to child zone, ultimately anchoring at the root zone’s trusted key, so a resolver can verify authenticity all the way from the root down to the specific domain without trusting any single server blindly. This protects against cache poisoning and man-in-the-middle tampering, because a forged record without a valid matching signature is rejected. Importantly, DNSSEC guarantees authenticity and integrity — it does not encrypt DNS traffic, so responses are still visible to eavesdroppers; that privacy gap is instead addressed separately by DNS over HTTPS or DNS over TLS. Deploying DNSSEC requires signing zones and periodically rotating keys, which adds real operational overhead.

  • Cryptographically verifies DNS responses are authentic and unmodified
  • Builds a chain of trust from the root down to a specific domain
  • Defeats cache poisoning and off-path response forgery
  • Complements (but does not replace) transport encryption like DoH/DoT

AI Mentor Explanation

DNSSEC is like a match official stamping every official scorecard with a tamper-evident seal that traces back to the governing board’s master seal — anyone receiving a scorecard can check the seal chain up to the board and know for certain the numbers were not altered en route. Without the seal, a forged scorecard claiming a different result could be slipped in and no one would notice until it was too late. This is exactly how DNSSEC’s signature chain lets a resolver verify a DNS answer really came from the legitimate source. The seal proves authenticity, but it does not hide the scorecard’s contents from anyone who intercepts it.

Step-by-Step Explanation

  1. Step 1

    Zone signing

    A zone owner signs its records with a private key, producing RRSIG signature records.

  2. Step 2

    Publish public key

    The zone publishes its public key as a DNSKEY record for validators to use.

  3. Step 3

    Chain of trust

    A DS record in the parent zone links to the child zone’s key, chaining trust up to the root.

  4. Step 4

    Validation

    A validating resolver checks each signature against the chain; a mismatch causes the answer to be rejected.

What Interviewer Expects

  • Correctly explains RRSIG, DNSKEY, and DS records and their roles
  • Understands the chain of trust anchors at the root zone
  • Knows DNSSEC provides authenticity/integrity, not confidentiality
  • Can name what attack DNSSEC primarily defends against (cache poisoning/spoofing)

Common Mistakes

  • Believing DNSSEC encrypts DNS queries or responses
  • Confusing DNSSEC with DNS over HTTPS/TLS (transport encryption)
  • Not knowing the chain of trust requires DS records at each delegation point
  • Assuming DNSSEC eliminates the need for TTL-based caching

Best Answer (HR Friendly)

DNSSEC adds digital signatures to DNS answers so your computer can verify the response truly came from the real owner of that domain and was not tampered with along the way. It is like a wax seal on a letter that proves who really sent it — it does not hide the letter’s contents, it just proves it is authentic and unaltered.

Code Example

Checking DNSSEC validation status
# Query with DNSSEC OK flag and show the authenticated data (AD) flag
dig example.com +dnssec

# Look for "flags: ... ad" in the response, which means the resolver validated it

# Retrieve the RRSIG and DNSKEY records directly
dig example.com RRSIG
dig example.com DNSKEY

Follow-up Questions

  • What is the difference between DNSSEC and DNS over HTTPS?
  • How does a DS record link a child zone to its parent in the chain of trust?
  • What happens to a query if DNSSEC validation fails?
  • What operational overhead does DNSSEC add, such as key rollover?

MCQ Practice

1. What does DNSSEC primarily provide?

DNSSEC cryptographically verifies that a response is genuine and unmodified; it does not encrypt traffic.

2. Which record links a child zone’s key to its parent in DNSSEC?

The DS (Delegation Signer) record in the parent zone establishes the chain of trust to the child zone.

3. What attack does DNSSEC primarily protect against?

DNSSEC signatures let resolvers reject forged records, defeating cache poisoning and response tampering.

Flash Cards

What is DNSSEC?Extensions that add cryptographic signatures to DNS records to verify authenticity and integrity.

RRSIG record?The digital signature attached to a signed DNS record.

DS record?Links a child zone’s key to its parent, forming the chain of trust.

Does DNSSEC encrypt DNS?No — it proves authenticity/integrity only; DoH/DoT provide encryption.

1 / 4

Continue Learning