DNSSEC does not provide DNS encryption despite its name suggesting otherwise. It uses key pairs and digital signatures (RRSIG records) to cryptographically validate that DNS records have not been tampered with and originate from the correct source. The DNS records themselves remain fully readable — only the accompanying digital signature is encrypted. DNSSEC provides data integrity and source authentication (using algorithms like RSA with SHA-256), not confidentiality. Since DNS is designed to be publicly accessible, encryption of the records themselves is not the goal.
•2m watch time
Sort: