DNSSECprotected

DNSSECprotected denotes a domain whose DNS zone is signed with DNSSEC and whose data can be validated by resolvers. A DNSSECprotected zone provides cryptographic assurance that responses come from the authoritative source and have not been tampered with during transit.

DNSSEC adds signatures to DNS data. Each zone has a DNSKEY set; responses include RRSIG records; the

A domain becomes DNSSECprotected when it is signed and a DS record is published at the parent

Operational considerations include choosing signing software, configuring automatic signing, publishing DS at the registrar, and regularly

DNSSEC protection does not provide confidentiality and does not enhance availability by itself. It relies on