DNSSEC (DNS Security Extensions)

A suite of extensions to DNS that adds cryptographic authentication to DNS responses. DNSSEC uses digital signatures to verify that DNS records have not been tampered with during transit. It protects against cache poisoning and man-in-the-middle attacks. DNSSEC adds RRSIG, DNSKEY, DS, and NSEC record types. Validation failures return SERVFAIL responses. DNSSEC does not encrypt queries — that is addressed by DoH and DoT.