DNSSEC was produced as a prevention method against DNS poisoning. Since DNS servers send and receive data using an unencrypted protocol, any hacker can look at the packets as they pass through the network, meaning that they can easily forge packets and send the DNS when a query is made to the authoritative name server.
DNSSEC is designed to ensure security by providing additional authoritative methods to ensure that only authentic records are appended within the DNS cache. DNSSEC adds cryptographic signatures to existing records that are stored alongside record types like A and AAAA. It checks that a hacker did not change the request and that the signature hash matches. This protects the DNS from accepting fraudulent records.
The DNS also adds new record types:
DNSKEYS can be further divided into two categories:
Delegation Signer Record
Here is an example of a DS record:
educative.io 350 IN 2109 13 2 hqwie2712e871382u0129lk18euy2871ey
Free Resources