DNSSEC helps protect against which threats?

DNSSEC focuses on the integrity and origin of DNS data. It signs DNS records with digital signatures and creates a chain of trust from the root down to individual zones. When a resolver validates a signed response, it checks the signature using the zone’s public key. If the data has been altered in transit or returned by a spoofed source, the signature won’t match and the resolver will reject the response. This directly guards against DNS poisoning and spoofing, where attackers inject false records or redirect users to malicious sites. Other threats listed, like DoS on web servers or malware distribution via email, target availability or different attack vectors and aren’t addressed by DNSSEC. Physical tampering isn’t about DNS data integrity, and DNSSEC doesn’t encrypt DNS traffic (confidentiality isn’t its goal). For DNSSEC to work, the domain and the validating resolvers must be properly configured and signed, so trusted DNS responses are reliably obtained.