The DNS security extensions (DNSSEC), described in RFCs 4033, 4034, and 4035, allow zone administrators to digitally sign zone data using public key cryptography, proving their authenticity. The primary idea behind DNSSEC is to prevent DNS cache poisoning and DNS hijacking. These record types are used for DNSSEC:

  • DNSKEY (DNS public key). Stores the public key used for resource record set signatures.
  • RRSIG (resource record signature). Stores the signature for an RRset.
  • DS (delegation signer). Parent zone pointer to a child zone’s DNSKEY.
  • NSEC3 (next secure v3). Used for authenticated NXDOMAIN.

The Security Option contract item of Edge DNS supports these features:

  • Sign and serve DNSSEC. Akamai manages signing the zone, key rotation, and serving the zone.
  • Serve DNSSEC. You manage signing the zone and key rotation, while Akamai serves the zone.

For more information, see these topics: