DNSSEC (Domain Name System Security Extensions) is a security protocol that provides authentication for DNS data. It is used to protect the internet's global Domain Name System (DNS) infrastructure from various types of attacks, such as spoofing and cache poisoning.
DNSSEC works by adding cryptographic signatures to DNS records, which allows users to verify the authenticity of DNS data received from a server. These signatures are created using public key cryptography, and are stored in special resource records in the DNS.When a client sends a DNS query to a server, the server can use DNSSEC to provide a digital signature along with the DNS response. The client can then use the public key associated with the domain to verify the authenticity of the response. This ensures that the client is receiving genuine DNS data, and not fake data that has been injected by an attacker.
DNSSEC also includes mechanisms for detecting tampering with DNS data. If an attacker tries to alter a DNS record or its associated signature, the client will be able to detect the tampering and reject the response.
DNSSEC is a configurable option in any DNS security policy. Securd supports DNSSEC by performing validation on queries sent from Securd resolvers to upstream authoritative servers.