DNSSEC (DNS Security Extensions) is a set of protocols that secures DNS using digital signatures. DNSSEC ensures that the DNS data retrieved during a query has not been altered (data integrity) while being transmitted. It also allows others to verify that the DNS data actually came from the purported publisher of DNS records (authenticity).

DNSSEC-aware servers run their DNS data through an algorithm that creates a message digest for each DNS record, Each digest is then digitally encrypted using a private key, resulting in a digital signature. The DNS server’s private key has a corresponding public key that is itself published by a trusted third party, or Certification Authority.

When these DNS records are published, they are sent along with the digital signature. When a resolver or another DNS server retrieves these records, they also retrieve the digital signature. The resolver can then attempt to decrypt the digital signature using the DNS record publisher's public key. If it is decrypted successfully using the publisher’s public key, the sender is authenticated. Successful decryption also results in a message digest for the DNS data. The published DNS is then run through the same algorithm and the resulting message is compared with the decrypted digest. If they are identical, then the integrity of the DNS data is assured.

At present, DNSSEC represents the most effective way to secure DNS. Adoption, however, has been slow.