DNSSEC can easily be spoofed?

I want to know the purpose of DNSSEC, what problem does it really try to solve? I think DNSSEC can easily be spoofed by inserting a non-DNSSEC DNS server into the network that serves a non-DNSSEC copy of the zone. But maybe that is not the problem that DNSSEC tries to solve?

With DNSSEC, DNS servers use public private key encryption to sign and check each others' zones. This may help for instance against DNS cache poisoning. Data gets added to the cache only after the signature of the DNS reponse is checked.

Nice.

But how do clients verify they are using DNS secured by DNSSEC? If you try to prevent DNS cache poisoning but not preventing DNS server insertion, is DNSSEC even worth the trouble?

I have a domain that is fully protected by DNSSEC according to https://dnssec-analyzer.verisignlabs.com/. In my company DNS (or restaurant wifi) I added a copy of this domain (or 'zone') to the network DNS server. This local DNS zone is NOT using DNSSEC. The clients in the company network (or restaurant wifi) are instructed to use the company DNS by the company DHCP server. Now if I change records in the copied zone on the company DNS, the clients simply follow these changes without warnings or complaints. The end users may believe they are safe because they have read in the documentation that my zone is protected by DNSSEC, but in reality they are using a spoofed zone on my company network (or the restaurant wifi) and the are not protected at all?


Solution 1:

DNSSEC allows you to ensure that the DNS data that you receive is unchanged compared to what the domain-owner published (for signed zones). This validation can be done at any stage in the querying path.

For this to work from the client point of view, you would ideally validate locally (not that common today but far from unheard of) or have a secure network path that can bridge the gap to a trusted validating resolver.
This secure network path could mean DNS-over-TLS, DNS-over-HTTPS, DNSCrypt or to some extent also a local network that you can at least somewhat trust (weaker, but still useful for a subset of attack scenarios).