Domain Name System Security Extensions, or DNSSEC, are a set of protocols that add a layer of security to Domain Name System (DNS) search and exchange processes that have become essential for accessing websites over the Internet. While it cannot protect how data is distributed or who can access it, the extensions can authenticate the origin of data sent from a DNS server, verify the integrity of the data, and authenticate non-existent DNS data.
The original purpose was to protect InternetClients from spoofed DNS data by verifying digital signatures embedded in the data. If the digital signatures in the data match those stored on the DNS master servers, the data can be forwarded to the Clientcomputer making the request.
DNSSEC uses a system of public keys and digital signatures to verify data. These public keys can also be used by security systems that encrypt data as it is sent over the Internet and then decrypt it when it is received by the intended recipient.
What can DNSSEC not do?
It cannot protect the privacy or confidentiality of data because it does not contain any encryption algorithms. It only contains the keys needed to authenticate DNS data.