DNSSEC is a security system that gives DNS servers the ability to verify that the information they receive is reliable. DNSSEC uses a similar public / private key cryptographic system to HTTPS, except that DNSSEC only uses the keys to sign records, not to encrypt them. The authoritative DNS records are signed by a private key which is kept secret. The signature (RRSIG) is uploaded as a special type of DNS record, as is the public key (DNSKEY). Servers that request the DNS records (RRSet), also receive the signature and the public key, and can verify that the records have been signed with the private key. If the records have been signed with the right key, it is strong evidence that they are valid.
Hence, criminals are unlikely to have access to the private key. If fake records are injected into a DNS server, they won’t have the right signature, and the server sending the request will know the records are bad. Additionally, DNS servers higher up the hierarchy are able to validate the information contained in the records of the server immediately below them. When looking up blog.webnames.ca, for example, the root domain validates .ca, which validates webnames, which validates blog in a chain of trust. In reality, DNSSEC is more complex than the sketch I have outlined here, but you should now have a good understanding of what DNSSEC is and why it is an important contributor to the security of your business and customers.
Given the security a validated IP address provides, one might ask why aren’t more businesses using DNSSEC? Unfortunately, awareness of DNSSEC and DNS is still lacking. While some government agencies and financial institutions now require DNSSEC to be implemented on domain names, the MUSH sector (municipalities, universities, schools, hospitals), ISPs, and ecommerce retailers still lag behind. We take the extra step and have adotped this important aspect of security for all our clients.
You can check here to verify it is enabled for your site. DNSSEC Verification