**DNSSEC** was produced as a prevention method against [DNS poisoning](https://www.educative.io/answers/what-is-dns-poisoning). Since DNS servers send and receive data using an unencrypted protocol, any hacker can look at the packets as they pass through the network, meaning that they can easily forge packets and send the DNS when a query is made to the authoritative name server.


DNSSEC is designed to ensure security by providing additional authoritative methods to ensure that only authentic records are appended within the DNS cache. DNSSEC adds cryptographic signatures to existing records that are stored alongside record types like A and AAAA. It checks that a hacker did not change the request and that the signature hash matches. This protects the DNS from accepting fraudulent records.



The DNS also adds new record types:

* **DNSKEY**:contains a public signing key
* **DS**:contains the hash of the DNSKEY
* **RRSIG**:contains a cryptographic signature
* **CDNSKEY** and **CDS**: for a child zone requesting to be updated to the DS cords in the parent zone

DNSKEYS can be further divided into two categories:

* **KSK**: used to sign DNSKEY records in the zone
* **ZSK**: used to sign all individual records within the zone

**Delegation Signer Record**

Here is an example of a DS record:
> educative.io 350 IN 2109 13 2 hqwie2712e871382u0129lk18euy2871ey
* educative.io stands for the domain name
* 350 denotes the TTL
* IN stands for Internet
* 2109 is the ID of the Key
* 13 is the algorithm type 
* 2 is the Digest type or hash function used to generate the digest from the public key
* The hash of the public key



What is DNSSEC?

DNSSEC was produced as a prevention method against DNS poisoning. Since DNS servers send and receive data using an unencrypted protocol, any hacker can look at the packets as they pass through the network, meaning that they can easily forge packets and send the DNS when a query is made to the authoritative name server. 