nerdexam
(ISC)2

CISSP · Question #870

What is the PRIMARY goal for using Domain Name System Security Extensions (DNSSEC) to sign records?

The correct answer is A. Integrity. DNSSEC signs DNS records cryptographically to ensure that DNS responses have not been tampered with, making integrity its primary goal.

Submitted by chen.hong· Mar 5, 2026Communication and Network Security

Question

What is the PRIMARY goal for using Domain Name System Security Extensions (DNSSEC) to sign records?

Options

  • AIntegrity
  • BConfidentiality
  • CAccountability
  • DAvailability

How the community answered

(17 responses)
  • A
    94% (16)
  • D
    6% (1)

Why each option

DNSSEC signs DNS records cryptographically to ensure that DNS responses have not been tampered with, making integrity its primary goal.

AIntegrityCorrect

DNSSEC uses digital signatures (via asymmetric cryptography) to sign DNS resource records, allowing resolvers to verify that the data originated from an authoritative source and has not been modified in transit. This directly addresses data integrity by detecting forged or altered DNS responses, protecting against attacks such as DNS cache poisoning. Confidentiality is explicitly out of scope for DNSSEC, as it does not encrypt DNS data.

BConfidentiality

DNSSEC does not encrypt DNS query or response data, so it provides no confidentiality; DNS over HTTPS (DoH) or DNS over TLS (DoT) are the mechanisms used for that purpose.

CAccountability

Accountability refers to tracking actions to specific users or entities; DNSSEC authenticates data origin but does not log or attribute user activity in any way.

DAvailability

Availability concerns ensuring services remain accessible; DNSSEC does not protect against denial-of-service attacks and can actually introduce additional overhead that slightly impacts availability.

Concept tested: DNSSEC purpose and DNS data integrity

Source: https://learn.microsoft.com/en-us/windows-server/networking/dns/dnssec-overview

Topics

#DNSSEC#DNS security#data integrity#network protocols

Community Discussion

No community discussion yet for this question.

Full CISSP Practice