DNSSEC, short for Domain Name System Security Extensions, is a technology upgrade that was developed to, among other things, protect against such attacks by digitally ‘signing’ data so you can be assured it is valid. However, in order to eliminate the vulnerability from the Internet, it must be deployed at each step in the lookup from root zone to final domain name (e.g., www.example.co). The root zone was signed on July 15, 2010 and the .CO registry was proud to implement DNSSEC in the .CO name space within the first half of 2011. Importantly, DNSSEC does not encrypt data. It just attests to the validity of the address of the site you visit.

DNSSEC services protect against most of the threats to the Domain Name System (DNS), including cache poisoning. It is a technical set of security extensions to the DNS, which provide: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence. DNSSEC does not provide confidentiality of data nor does it protect against DDoS Attacks.

The simplest form of cache poisoning is simply sending fake “answers” to a user’s DNS server. DNS servers constantly send out questions ("What's the IP address of www.example.co?") and receiving answers ("www.example.co is at 209.237.229.14"). The servers don't actually authenticate the source of the answers. With DNSSEC, the server sends back an authenticated answer ensuring the user that the website viewed is the actual website requested and that a potential security vulnerability is not being exploited.