DNSSEC
An authoritative DNS server may return an address, and a recursive resolver may pass that answer to the client, but classic DNS has a hard time proving whether the answer really came from the original zone data. If someone on the path wins the race, if recursive cache has been poisoned, or if an upstream response was tampered with, the client still only sees a syntactically correct DNS response.
DNSSEC exists to handle that class of problem. The question is no longer only “does this look like a DNS response?” but also “was this signed by the owner of this namespace?” It does not encrypt DNS queries, and it does not hide which domain the user asked for. It adds source authentication and integrity verification to DNS data.
Read More