Specifically, DNSSEC provides origin authority, data integrity, and authenticated denial of existence. With DNSSEC, the DNS protocol is much less susceptible to certain types of attacks, particularly DNS spoofing attacks.

How DNSSEC works

If supported by an authoritative DNS server, a DNS zone can be secured with DNSSEC using a process called zone signing. Signing a zone with DNSSEC adds validation support to a zone without changing the basic mechanism of a DNS query and response.
Validation of DNS responses occurs through the use of digital signatures that are included with DNS responses. These digital signatures are contained in new, DNSSEC-related resource records that are generated and added to the zone during zone signing.
The following figure shows DNS resource records in the zone contoso.com before and after zone signing.

DNSSEC signing status: Because DNSSEC signs all records in the zone, this condition refers to the state of the secure.contoso.com zone, and not just the finance.secure.contoso.com resource record. You cannot sign some records and not sign other records; therefore, the DNSSEC status of finance.secure.contoso.com depends on the DNSSEC status of secure.contoso.com.

Where are we now?

DNSSEC is a standards-based mechanism that allows a client to validate DNS responses. It can expose attempts to pass off false DNS data as authentic using an approach of incrementally signed data and an interlocking hierarchy of signing keys to allow data verification. DNSSEC is a backwards compatible extension of DNS, and it works entirely within the existing structure of the DNS.

However, DNSSEC will work best when we all use it. In such a scenario of universal adoption clients will need to be equipped with a simple single local trust key that will "unlock" the entire key hierarchy of the DNS. If everyone uses DNSSEC we will not need to rely on the integrity and good intentions of a bevy of intermediate crypto key brokers to assemble useful and current lookaside lists to compensate for the lack of a complete interlocking structure of DNS zone keys.

And here "everyone" really means "everyone, from the root all the way down". Within a few days from now the root of the DNS will be DNSSEC signed with a verifiable key. A critical part of the scenario of universal adoption of DNSSEC, that of the apex of the key hierarchy will have been achieved. But when and how will the other parts of the DNS follow? Some DNS registrars are currently offering DNSSEC DS key registration as an extra cost option for name holders. While this provides some marginal incentive from the registration side for DNSSEC adoption, its difficult to see the path towards universal use of DNSSEC taking off when many of the incremental costs are loaded onto the name holder and the zone administrator while the majority of the benefits of adoption of DNSSEC lie in the intangible area of risk mitigation on the DNS client side.

So the signing of the root of the DNS does not in and of itself cure the DNS of all known security pitfalls. This particular root zone signing lifts the expectation that widespread adoption of DNSSEC is a feasible ambition, but its not the complete solution by any means.

It is perhaps more realistic to view the signing of the root of the DNS as one more milestone, albeit a very important and significant milestone, in a far longer DNSSEC path, rather than thinking that we've reached the ultimate destination of this particular journey.

Algorithms

DNSSEC was designed to be extensible so that as attacks are discovered against existing algorithms, new ones can be introduced in a backward-compatible fashion. The following table defines, as of April 2013, the security algorithms that are most often used: