I should write a blog post on this. It's got everything. [[digital signature]], [[asymmetric|asymmetric encryption]], [[data integrity]]... Alright, let's go gang. How do we secure the [[DNS]]? With [[digital signature]]! Specifically, we ask each name server to sign the response. How can we trust the signature? We can check the [[public-key certificate]], which should be signed by the next name server in the hierarchy. Yeap, it's more [[public key infrastructure|PKI]]. This approach adds a number of new [[DNS#Resource records|resource record]] types, including: - RRSIG, which contains the [[digital signature]] computed over a set of resource records. It may also contain a timestamp to limit the potential of [[replay attacks]] - DNSKEY, which contains the [[public key]] - DS, the Delegation Signer, which contains a cryptographic hash of the DNSKEY record When DNSSEC is implemented, each answer to a [[DNS]] query contains an RRSIG in addition to the requested record type. Given that the key has to be signed by the next key up in the hierarchy, you can't DNSSEC `a.b.uk` until both `.uk` and `.b.uk` have been signed. This gives people plenty of excuses not to bother, because "nobody's signed the root domain" (until they did). To see if DNSSEC has been set up, you can run ```shell > dig DNSSEC a.b.uk +short ``` and see what gets returned. If the answer is 'nothing', then it is not signed.