DNSSEC (1/2)

RFC4033-4035

Purpose: ensure validity of DNS transaction
defend spoofed responses or cache contamination
also ensure the validity of negative response
(defend DoS by spoofed "NXDOMAIN")

Method: public-key based digital signature
maintain per-zone key
zone's publickey: DNSKEY RR
sign each RR of the zone using zone's secret key
-> RRSIG RR
DS: Delegation Signer
a hash of a child's DNSKEY RR