Which technology adds cryptographic signatures to DNS responses?

The correct answer is DNSSEC, which stands for Domain Name System Security Extensions. DNSSEC enhances the security of the DNS protocol by adding a layer of cryptographic signatures to DNS responses. This process ensures that the responses received by clients from DNS servers are authentic and have not been altered during transmission.

When a DNS query is made, DNSSEC allows for the signature of the DNS records. The client can then verify the signature using public keys associated with the specific domain. This verification process helps to combat various cybersecurity threats, such as DNS spoofing or cache poisoning, by providing assurance that the data comes from a legitimate source.

In contrast, DNSCurve is another technology aimed at securing DNS, but it focuses more on encrypting DNS packets rather than adding cryptographic signatures. TSIG, or Transaction Signature, is a protocol used to secure DNS messages between two parties using shared secrets; however, it is not primarily designed to secure DNS responses as a whole. NAT, or Network Address Translation, is a method used in networks to translate private IP addresses to a public one and does not deal with DNS security directly.

Thus, DNSSEC stands out as the specific technology that incorporates cryptographic signatures into DNS responses, making it the appropriate answer for this question.