RFC 3833 documents some of the known threats to the DNS and how DNSSEC responds to those threats.DNSSEC was designed to protect applications (and caching resolvers serving those applications) from using forged or manipulated DNS data, such as that created by DNS cache poisoning.
unmodified and complete) to the information published by the zone owner and served on an authoritative DNS server.
While protecting IP addresses is the immediate concern for many users, DNSSEC can protect any data published in the DNS, including text records (TXT), mail exchange records (MX), and can be used to bootstrap other security systems that publish references to cryptographic certificates stored in the DNS such as Certificate Records (CERT records, RFC 4398), SSH fingerprints (SSHFP, RFC 4255), IPSec public keys (IPSECKEY, RFC 4025), and TLS Trust Anchors (TLSA, RFC 6698).
DNSSEC does not provide confidentiality of data; in particular, all DNSSEC responses are authenticated but not encrypted.
DNSSEC does not protect against Do S attacks directly, though it indirectly provides some benefit (because signature checking allows the use of potentially untrustworthy parties; this is true only if the DNS server is using a self-signed certificate,not recommended for Internet-facing DNS servers).
The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks.
It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.The original design of the Domain Name System (DNS) did not include security; instead, it was designed to be a scalable distributed system.The Domain Name System Security Extensions (DNSSEC) attempts to add security, while maintaining backward compatibility.Other standards (not DNSSEC) are used to secure bulk data (such as a DNS zone transfer) sent between DNS servers.As documented in IETF RFC 4367, some users and developers make false assumptions about DNS names, such as assuming that a company's common name plus ".com" is always its domain name.DNSSEC cannot protect against false assumptions; it can only authenticate that the data is truly from or not available from the domain owner.