We can use DNSSEC to validate the origin of the DNS records we get back from ie. “www.nucleus.be”. This system allows us to guarantee that you get the correct IP address associated with a certain domain name, and not the IP some criminal would want you to use.
To make this all possible, every DNS record will be digitally signed. Each of these records can be traced via a “chain of trust” to the root zone, to verify you are receiving the correct record.
With each query that is launched against a nameserver, you will also receive an RRSIG record, in addition to the already known A, CNAME, TXT, MX, … records. In that RRSIG record, is the digitally signed version of the requested Resource Record. Additionally, that digital signature is validated against a public key which is held in the DNSKEY record. If that validation does not work, the requesting server will return a NXDOMAIN (or a SERVFAIL) as response, instead of the expected DNSrecord. This means the domain name can not be resolved to an IP address. So at that time, the system can not be reached, as there’s no IP address known.
It resembles the much used Public/Private Key cryptography, but goes one step further. To validate that you receive the correct response from the root nameservers of your TLD (ie: DNSBE or EURID), those records are also validated and checked against the “root” zone, also known as the “dot” (.). By passing this entire route, we can guarantee that no one is interfering with the connection somewhere in between and forge data (the so called “chain of trust”).
In practice though, this means that caching or resolving nameservers – like the ones at your local ISP – have to validate these DNSSEC requests. This is something that’s currently not yet happening, because no one is implementing DNSSEC. It’s the classic “chicken vs egg” scenario: ISPs will only start validating DNSSEC once it is used in public, and it will only be used in public when nameservers will validate the requests. In that vicious circle, we gladly play a guiding role to motivate the rollout and acceptation of DNSSEC, by signing our own records already.