CISSP · Question #870
What is the PRIMARY goal for using Domain Name System Security Extensions (DNSSEC) to sign records?
The correct answer is A. Integrity. DNSSEC signs DNS records cryptographically to ensure that DNS responses have not been tampered with, making integrity its primary goal.
Question
Options
- AIntegrity
- BConfidentiality
- CAccountability
- DAvailability
How the community answered
(17 responses)- A94% (16)
- D6% (1)
Why each option
DNSSEC signs DNS records cryptographically to ensure that DNS responses have not been tampered with, making integrity its primary goal.
DNSSEC uses digital signatures (via asymmetric cryptography) to sign DNS resource records, allowing resolvers to verify that the data originated from an authoritative source and has not been modified in transit. This directly addresses data integrity by detecting forged or altered DNS responses, protecting against attacks such as DNS cache poisoning. Confidentiality is explicitly out of scope for DNSSEC, as it does not encrypt DNS data.
DNSSEC does not encrypt DNS query or response data, so it provides no confidentiality; DNS over HTTPS (DoH) or DNS over TLS (DoT) are the mechanisms used for that purpose.
Accountability refers to tracking actions to specific users or entities; DNSSEC authenticates data origin but does not log or attribute user activity in any way.
Availability concerns ensuring services remain accessible; DNSSEC does not protect against denial-of-service attacks and can actually introduce additional overhead that slightly impacts availability.
Concept tested: DNSSEC purpose and DNS data integrity
Source: https://learn.microsoft.com/en-us/windows-server/networking/dns/dnssec-overview
Topics
Community Discussion
No community discussion yet for this question.