DNS and DNSSEC serve related but distinct purposes. DNS translates domain names to IP addresses; DNSSEC adds a layer of authentication to verify those translations are legitimate.
Quick Comparison
| Aspect | DNS | DNSSEC |
|---|---|---|
| Primary Function | Name resolution | Response authentication |
| Security | None built-in | Cryptographic signatures |
| Data Integrity | Not verified | Verified via signatures |
| Origin Authentication | Not provided | Chain of trust to root |
| Encryption | No | No (use DoH/DoT) |
| Response Size | Smaller | Larger (includes signatures) |
| Complexity | Simple | Requires key management |
How DNS Works (Without DNSSEC)
Standard DNS operates on a simple query-response model:
- Your device queries a recursive resolver for a domain name
- The resolver queries authoritative nameservers
- The authoritative server returns the IP address
- The resolver caches and returns the response
The problem: none of these responses are authenticated. Your device trusts whatever answer arrives first, with no way to verify it came from the legitimate source.
What DNSSEC Adds
DNSSEC extends the DNS protocol with:
- Digital Signatures: Every DNS record is signed with a cryptographic key
- Public Keys: Published in DNS so resolvers can verify signatures
- Chain of Trust: Parent zones vouch for child zones, traceable to the root
- Authenticated Denial: Proof that a name does not exist
What Stays the Same
DNSSEC doesn't change fundamental DNS operations:
- Same port (UDP/TCP 53)
- Same query/response structure
- Same record types (A, AAAA, MX, etc.)
- Same caching behavior
- Same resolver hierarchy
Security Comparison
Attacks DNS is Vulnerable To
- Cache Poisoning: Injecting false records into resolver cache
- Man-in-the-Middle: Intercepting and modifying DNS responses
- DNS Spoofing: Sending forged responses before legitimate ones
How DNSSEC Prevents These
- Signatures detect any modification to DNS data
- Chain of trust verifies data origin
- Forged responses fail validation and are rejected
Important: DNSSEC does not provide encryption. DNS
queries and responses remain visible to network observers. For privacy, combine DNSSEC with DNS over
HTTPS (DoH) or DNS over TLS (DoT).
Performance Considerations
DNSSEC has measurable but generally acceptable performance impacts:
- Response Size: DNSSEC responses are 2-10x larger due to signature data
- Latency: Validation adds processing time at the resolver
- UDP Fragmentation: Large responses may require TCP fallback
- Caching: Signatures have expiration times affecting cache validity
Modern resolvers handle these efficiently. For end users, the difference is typically imperceptible.
When to Use DNSSEC
DNSSEC is recommended for:
- All domains with valuable brand reputation
- E-commerce and financial services
- Government and healthcare organizations
- Any domain where misdirection could cause harm