How All DNS domains must be signed with DNSSEC.
Why The DNSSEC standard adds new important security features to DNS while maintaining backwards compatibility. The new features are: origin authentication of DNS data, authenticated denial of existence, and data integrity.
DNSSEC was designed to protect applications (and caching resolvers serving those applications) from using forged or manipulated DNS data, such as that created by DNS cache poisoning. All answers from DNSSEC protected zones are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (i.e. unmodified and complete) to the information published by the zone owner and served on an authoritative DNS server.
Notably, DNSSEC does not provide confidentiality of data; in particular, all DNSSEC responses are authenticated but not encrypted.