DNSSEC introduces security at the infrastructure level through a hierarchy of cryptographic signatures attached to the DNS records. Users are assured that the source of the data is verifiably the stated source, and the mapping of name to IP address is accurate. DNSSEC-compliant name servers also provide denial of existence, that is, they tell a user that a name does not exist. There are two dominant strategies: (1) a process that zone operators can initiate for digitally signing their own zones by employing public-private key pairs and (2) a chain of trust between parent and child that enables the system eventually to become trustworthy.
The specification calls for four new resource record types (Resource Record Signature [RRSIG], DNS Public Key [DNSKEY], Delegation Signer [DS], and Next Secure [NSEC]) in addition to new information in the packet header. The information in the header used by DNSSEC indicates that the response to a query passed checks on the server side. A zone administrator who wishes to deploy DNSSEC first generates a key pair, consisting of a public key and a private key. The public key is stored in a DNSKEY record; the private key is stored offline. The private key is used to digitally sign the records and the resulting digital signature is stored in a RRSIG record.
A zone operator may have to complete one or two more steps, depending on the content of the zone file: NSEC records hold information about the next record in the zone and must be added. This enables the response that no record exists. If the zone includes delegations, then a Delegation Signer (DS) record must also be added in the parent zone for a given child. So a zone that contains children must include DS records for the children. A zone that has signed its records and added the NSEC and, if necessary, the DS records may go into business as a self-signed DNSSEC-compliant zone, also known as an "island of security." This is a zone that contains signed records – or is considered a "signed zone" – but is the child of a parent that cannot vouch for the authenticity of the child's key.
The combination of RRSIG and the child's public key in a DNSKEY record allows a validation of the source of the data. The simplest DNSSEC sequence is to obtain the DNS information queried for together with the signature associated with that information (contained in the RRSIG) and to use the public key in the DNSKEY to perform the validation (i.e., prove that the signature was made by the holder of the private key). However, the power of DNSSEC lies in a second step that allows the signed zone to be vouched for, preferably by its parent but if not, by another authenticating entity. This sequence creates the chain of trust up to the "trust anchor," which is the starting point in the chain. A DNSSEC aware resolver validates the information it receives in response to a query by using the public keys to check the signed records.
DNSSEC – DNS Security Extensions. Web site that provides excellent and important background information for a general and technically literate audience on the history and development of the protocol, and useful tools.
M. Gieben, DNSSEC, The Internet Protocol Journal, 7  (June 2004). Verified January 20, 2005. Offers a useful introduction to the protocol.
DNSSEC: What is it and what does it do? Prepared by NIC-SE, the first ccTLD in the world to deploy DNSSEC.