The most common DNS threats that DNSSEC is designed to thwart are:
- DNS Spoofing, in which a name server is “poisoned” into redirecting users to fraudulent or false data;
- Malicious resolvers, that pass on fraudulent DNS resolution to users, and;
- Man in the Middle attacks, in which an attacker redirects, intercepts and changes network traffic during transmission.
DNSSEC is intended to mitigate DNS threats using three separate but related parts. These are:
- Origin Authentication: The ability for DNSSEC capable resolvers to verify that a server is genuine;
- Data Integrity: That the data received from said server is genuine and verifiable; and
- Authenticated denial of existence: an authentic determination that a resource, such as a name server, does not exist.