MITM isn't impossible, it just requires a lot more effort. Due to the integrity verification process Keith and Nik pointed out, you'll have to spoof not just the target example.com domain, but also .com and . (once it gets signed). Which means that simple cache-poisoning will no longer work, you have to completely subvert the target's entire resolver stream.
It works like SSL in a lot of ways. The root domain has delegation-signer records that are used to verify that the child domain (.com in this case) resolver is really the correct resolver. This repeats for each child domain until you get to a hostname. The actual verification process works in reverse, in it goes up the tree until it gets to an unsigned level and verifies from there. DNS attackers will have to fake the entire resolver tree up to the signed root (be that .com or .) in order to succeed. This is why getting DNS-root signed is such a big deal.
A lot of how DNSSEC improves security is by making it a lot harder to feed bad data into resolver caches and improve resistance to playing games with the DNS transaction process between clients and legitimate resolvers. A fully compromised DNS server will still return bad data even if it is using DNSSEC, and an in-line proxy rewriting DNS requests on the wire would have to fake every single DNS request not just the intended ones, but that's a harder problem to solve in general; as well as harder to get into place in the first place.
DNSSEC is a proposed Internet
standard that modifies DNS resource
records and protocols to provide
security for query and response
transactions made between domain name
resolvers and nameservers.
Specifically, the security DNSSEC
provides includes:
Integrity verification: a DNS
resolver can determine that
information received from a
nameserver has not been tampered with
in transit Source authentication: a
DNS resolver can determine that the
information received originated from
an authoritative nameserver
Authenticated denial of existence: a
DNS resolver can verify that a
particular query is unresolvable
because no DNS record actually exists
on the authoritative nameserver
MITM isn't impossible, it just requires a lot more effort. Due to the integrity verification process Keith and Nik pointed out, you'll have to spoof not just the target example.com domain, but also .com and . (once it gets signed). Which means that simple cache-poisoning will no longer work, you have to completely subvert the target's entire resolver stream.
It works like SSL in a lot of ways. The root domain has delegation-signer records that are used to verify that the child domain (.com in this case) resolver is really the correct resolver. This repeats for each child domain until you get to a hostname. The actual verification process works in reverse, in it goes up the tree until it gets to an unsigned level and verifies from there. DNS attackers will have to fake the entire resolver tree up to the signed root (be that .com or .) in order to succeed. This is why getting DNS-root signed is such a big deal.
A lot of how DNSSEC improves security is by making it a lot harder to feed bad data into resolver caches and improve resistance to playing games with the DNS transaction process between clients and legitimate resolvers. A fully compromised DNS server will still return bad data even if it is using DNSSEC, and an in-line proxy rewriting DNS requests on the wire would have to fake every single DNS request not just the intended ones, but that's a harder problem to solve in general; as well as harder to get into place in the first place.
This article explains it a bit. A quick snippit: What is DNSSEC?
DNSSEC is a proposed Internet standard that modifies DNS resource records and protocols to provide security for query and response transactions made between domain name resolvers and nameservers. Specifically, the security DNSSEC provides includes:
Integrity verification: a DNS resolver can determine that information received from a nameserver has not been tampered with in transit Source authentication: a DNS resolver can determine that the information received originated from an authoritative nameserver
Authenticated denial of existence: a DNS resolver can verify that a particular query is unresolvable because no DNS record actually exists on the authoritative nameserver