[franga2000]

Not tamper with the record directly, but MitM it on the way to a target.

[ishouldbework]

That should be prevented by dnssec no?

[tptacek]

Depends on who your adversary is. If it's your ISP: no, DNSSEC doesn't prevent that (in every mainstream deployment scenario, your upstream DNS recursive server is the only thing really doing DNSSEC validation).

[crote]

That's what DNSSEC is for.

[franga2000]

Yes, but that's just PKI again, which is what the OP was trying to avoid.