How does DNSSEC prevent DNS spoofing attacks?

DNSSEC adds cryptographic signatures to DNS records. Each zone has ZSK (Zone Signing Key) signing records and KSK (Key Signing Key) signing ZSK. DS records in parent zone create chain of trust to root. Resolvers verify signatures up the chain. Prevents: cache poisoning, spoofed responses. New record types: RRSIG (signature), DNSKEY (public keys), DS (delegation signer), NSEC/NSEC3 (authenticated denial of existence). Challenges: key rotation, zone walking (NSEC), increased response size, deployment complexity.