DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS, ensuring that DNS responses are authentic and unaltered. Each DNS zone signs its records with a private key; resolvers verify the signature against the public key.
DNSSEC protects against cache poisoning and man-in-the-middle attacks at the DNS level. You can trust that the resolved IP address genuinely comes from the domain owner. DNSSEC does not encrypt the data itself — that requires DNS-over-HTTPS or DNS-over-TLS. Setup requires careful key management, since expired keys can cause DNS outages.