Bind updating root hint data file
The original design of the Domain Name System (DNS) did not include any security details; instead, it was designed to be a scalable distributed system.
The Domain Name System Security Extensions (DNSSEC) attempts to add security, while maintaining backward compatibility.
RFC 3833 documents some of the known threats to the DNS and how DNSSEC responds to those threats.
DNSSEC was designed to protect applications (and caching resolvers serving those applications) from using forged or manipulated DNS data, such as that created by DNS cache poisoning.
It associates various information with domain names assigned to each of the participating entities.
unmodified and complete) to the information published by the zone owner and served on an authoritative DNS server.
While protecting IP addresses is the immediate concern for many users, DNSSEC can protect any data published in the DNS, including text records (TXT), mail exchange records (MX), and can be used to bootstrap other security systems that publish references to cryptographic certificates stored in the DNS such as Certificate Records (CERT records, RFC 4398), SSH fingerprints (SSHFP, RFC 4255), IPSec public keys (IPSECKEY, RFC 4025), and TLS Trust Anchors (TLSA, RFC 6698).
Most prominently, it translates more readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols.
By providing a worldwide, distributed directory service, the Domain Name System is an essential component of the functionality on the Internet, that has been in use since 1985.