DNSSEC (Domain Name System Security Extensions) cryptographically signs DNS records so resolvers can verify they haven't been tampered with. It adds a chain of trust from the root down to your zone.
Without DNSSEC, an attacker who controls your ISP's DNS resolver or sits on your network can redirect traffic anywhere. DNSSEC doesn't hide your traffic or stop queries from being logged—it just proves the answers are legit. Your registrar and nameserver operator both need to support it; most do now.
Enabling DNSSEC requires generating a signing key, creating DS records at your registry, and pushing updates when your signing key rotates. It adds operational friction. Some registrars and hosting providers handle it transparently; others make you manage it yourself. Misconfiguration breaks your zone entirely.
It's security theater if your registrar gets hacked or your nameserver is compromised upstream. But against passive network attacks and DNS cache poisoning, it works. Increasingly recommended for sensitive operations: journalist domains, crypto exchanges, anything that can't afford a redirect attack.