Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.

NIOS DNS DHCP IPAM

Reply

Who decides if the query uses DNSSEC or not?

Authority
Posts: 19
433     0

Hi

 

Who decides if the query uses DNSSEC or not? is it the client's browser or the resolver?

 

 

Kindly

Wasfi

 

Re: Who decides if the query uses DNSSEC or not?

Techie
Posts: 34
433     0

In short, the resolver. 

 

The basic steps of DNSSEC resolution and validation go like this:

  1. First, the client requests an A record for example.com from its local validating recursive server.
  2. The validating recursive server follows the normal recursion path from root down to the authoritative servers of the zone for example.com.
  3. Next, the recursive server requests the A record from the authoritative server.
  4. The authoritative server answers with the A record and corresponding RRSIG A record for example.com.
  5. Then, the recursive server asks the example.com authoritative server for the DNSKEY record for the zone.
  6. The authoritative server for example.com returns the DNSKEY record and corresponding RRSIG DNSKEY record for example.com.
  7. Next, the recursive server asks .com for the DS record for example.com.
  8. The .com server responds with the DS record and corresponding RRSIG DS record for example.com.
  9. Then, the recursive server requests the DNSKEY record from the .com server.
  10. The .com server responds with the DNSKEY record and corresponding RRSIG DNSKEY record.
  11. Next, the recursive server requests the DS record of .com from the root servers.
  12. The root servers return the DS record and corresponding RRSIG DS record for .com.
  13. Then, the recursive server asks for the DNSKEY record for the root.
  14. The root server returns the DNSKEY record and the corresponding RRSIG DNSKEY record for the root.
  15. Finally, the recursive server uses the configured trust anchor to validate the DNSKEY record and corresponding RRSIG DNSKEY record for root. DNSSEC-aware resolvers have the necessary key for validating responses from root servers already built-in.

 

All of this happens on behalf of the client.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You