The potential for DNS session hijacking is undeniable, with the risks that entails of being redirected to systems in the control of a mailicous entity with the potential for SSL man-in-the-middle attacks.

But is the answer really DNSSec? These two UML sequence diagrams show the same recursive query in the current DNS scheme and under DNSSec. Note the vast increase in processing effort and transaction time involved with implementing DNSSec and then multiply that by several hundreds of millions of daily DNS queries.

DNS Sequence


DNSSec Sequence


So, do I have an alternative solution? No, not just yet...