DNSSEC
DNS Security Extensions — cryptographic signatures on DNS records so resolvers can verify the answer wasn't tampered with in transit. Adds a chain of trust to DNS responses.
Why it matters
Without DNSSEC, an on-path attacker can spoof DNS responses and redirect a domain to their own server. DNSSEC’s signatures let resolvers reject forged answers.
Adoption
Uneven. Required for some sensitive use cases (banking, government) but not universally deployed across the public internet.