Can someone please help?

DNSSEC does not "secure" queries.  It provides a mechanism to identify whether a response to a query that comes back from a DNS server (to your DNS server...not the client) is signed by the owner of the data. This effectively means that if you were to look up www.infoblox.com, you would know if the answer that you got came from an authorized source or whether the data may have been compromized (man in the middle attack, spoofed response, etc).

What do you mean such that you want to "secure the query"?  What problem are you trying to solve?

Well basically, we need to secure forward and receive DNS queries of to and from the zone. You answered how can we do that for receive DNS queries FROM the zone using DNSSEC. However any idea how can we do the forwarding DNS query securely?

Thanks,

Darshan

I'm still not entirely sure what you're trying to be able to do.  Please provide an example use case that covers both what you want and what you're trying to avoid.

As per our client requirement, they wants to secure only one forward zone. Can you please help me explaining the impact after enabling DNSSEC for Forward Zone?

Thanks Don,

So after enabling DNSSEC for Fowarding Zone, it can only accept replies from the servers which also DNSSEC implemented (or signed data), right? If the Forwarding Zone forwarding DNS query to non-DNSSEC servers, the forwarding would fail, right?

Hello Don,

Seek for your comment.

It depends on how you configure it. There are still a very large number of zones that are not signed so you can request checking signatures on those that are signed while ignoring validation on those that aren't...or you can reject everything that fails (including those not signed).

Is there a way to configure unsigned response and also signed? The preferred should be the signed one of course, but in case if it fails, request / response should not fail.

I know that wouldn't add any value of using DNSSEC, but we cannot affect the DNS operation by stop receiving unsigned data. The major reason is, .AE TLD is not yet signed. Any comments?

Cheers!

Darshan

When you set up DNSSEC validation you can specify that all responses are okay rather than signed reponses only. The entire configuration is in the same place.