Security

/ˈɛn-ɛs-siː/

n. “Proof of nothing — and everything in between.”

NSEC, short for Next Secure, is a record type used in DNSSEC to provide authenticated denial of existence. In plain terms, it proves that a queried DNS record does not exist while maintaining cryptographic integrity. When a resolver asks for a domain or record that isn’t present, NSEC ensures that the response cannot be forged or tampered with by an attacker.

/ˈdiː-ɛs/

n. “The chain that links the trust.”

DS, short for Delegation Signer, is a special type of DNS record used in DNSSEC to create a secure chain of trust between a parent zone and a child zone. It essentially tells resolvers: “The key in the child zone is legitimate, signed by authority, and you can trust it.”

/ˈɑːr-ɑːr-sɪɡ/

n. “Signed. Sealed. Verifiable.”

RRSIG, short for Resource Record Signature, is a record type used by DNSSEC to cryptographically sign DNS data. It is the proof attached to an answer — evidence that a DNS record is authentic, unmodified, and published by the rightful owner of the zone.

/ˈdiː-ɛn-ɛs-kiː/

n. “This is the key — literally.”

DNSKEY, Domain Name System Key, is a record type used by DNSSEC to publish the public cryptographic keys for a DNS zone. It is the anchor point for trust inside a signed domain. Without it, nothing can be verified, and every signature becomes meaningless noise.

/ˈdiː-ɛn-ɛs-sɛk/

n. “Proves the answer wasn’t forged.”

DNSSEC, short for Domain Name System Security Extensions, is a set of cryptographic mechanisms designed to protect the DNS from lying to you. Not from spying. Not from tracking. From quietly, efficiently, and convincingly giving you the wrong answer.

/ˈɛs-pi-ɛf/

n. “Verify the sender before you open the mail.”

SPF, short for Sender Policy Framework, is an email authentication method designed to detect and prevent email spoofing by verifying that incoming mail from a domain comes from an authorized IP address. It allows domain owners to publish a list of IP addresses or servers permitted to send email on their behalf in their DNS records.

/ˈdiː-mɑːrk/

n. “The rulebook for email trust.”

DMARC, short for Domain-based Message Authentication, Reporting & Conformance, is an email authentication protocol designed to give domain owners control over how email receivers handle messages that fail verification checks. It builds on existing standards like SPF and DKIM, providing both enforcement guidance and reporting.

/diː-keɪ-ˈaɪ-ɛm/

n. “Sign it so they know it’s really you.”

DKIM, short for DomainKeys Identified Mail, is an email authentication standard that allows senders to digitally sign their messages using cryptographic keys. The recipient server can then verify that the email was indeed sent by the claimed domain and that the message has not been tampered with in transit.

/stɑːrt-tiː-ɛl-ɛs/

n. “Upgrade the line before you speak.”

STARTTLS is a protocol command used to upgrade an existing plaintext communication channel—commonly in SMTP, IMAP, or POP3—to a secure, encrypted connection using TLS. Instead of initiating a connection directly over TLS, the session begins in cleartext and then negotiates encryption before transmitting sensitive data.

/ˌeɪtʃ-tiː-ɛs-tiː-ɛs/

n. “Never talk unencrypted, even if asked nicely.”

HSTS, short for HTTP Strict Transport Security, is a web security policy mechanism that tells browsers to always use HTTPS when communicating with a specific site. Once a browser sees the HSTS header from a site, it refuses to make any unencrypted HTTP requests for that domain, effectively preventing downgrade attacks and certain types of man-in-the-middle attacks.