DNSSEC solves several problems, including:
- Cache Poisoning - or “man in the middle” attacks. Attackers can flood a DNS resolver with phony information with bogus DNS results. Sometimes these attacks get a match by the law of large numbers and plant a bogus result into the cache of the DNS resolver. The DNS resolver will provide this erroneous or malicious web address to anyone seeking that website for a period of time (TTL). This sends web users to malicious websites or website that are “evil twins,” looking like a legitimate website with the goal of stealing personal information or money from the unsuspecting user.
- False zones – DNSSEC also protects from malicious DNS attacks that seek to exploit the DNS system and provide phony results for zones that don’t even exist, essentially exploiting the gaps in between zones. DNSSEC secures the entire zone and provides mechanisms to prevent the exploitation of gaps in unsigned zones. This is also known as authenticated denial of existence.