DNSSEC does get you something today because an answer is not "correct" if it is unsigned, or the signature is invalid, and you were expecting a signed response. If your resolver can determine a chain of trust from an anchor (ideally the root servers, but today it might be the Swedish ccTLD registry) down the DNS hierarchy to the requested address, then it can (and if configured to do so) will authenticate the response. At the anchor you use a locally configured key to verify the signed information about the next level, and if that information contains a public key, you can use that to verify the next lot of signed information, and so on until you've reached the point in the hierarchy you were interested in, or you don't get a key and fall back to unauthenticated DNS. If you install the Swedish TLD's DNSSEC public key and configure your resolver and/or recursive server to use it, then you will have working DNSSEC today, for however many 2LDs there are in their registry which have decided to use DNSSEC, and for any of their 3LDs and so on as appropriate. Once you have set this up, any queries for these addresses will either give you the authentic answer, or fail in some way (e.g. because the owner forgot to update their key and doesn't have a system which handles it automatically), spoofing becomes impossible.
Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds