On DNSSEC

If you have ever called a customer care number and the operator asks you for the last 4 if your SSN to confirm your identity, you have experienced the human version of DNSSEC.

Websites properly setup for DNSSEC will return, in addition to your familiar CNAME or A/AAAA records, other special cryptographically signed DNS records that guarantee that the website is legitimate and your DNS server hasn't been hacked to return IP addresses of phishing sites instead.

Just like only you know the last 4 of your SSN, only the right website will return DNS records whose cryptographically signed records match the expected value for that website.