Reply
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Who decides if the query uses DNSSEC or not?
Options
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2023 04:59 AM
875     0
Hi
Who decides if the query uses DNSSEC or not? is it the client's browser or the resolver?
Kindly
Wasfi
Re: Who decides if the query uses DNSSEC or not?
Options
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-20-2024 09:19 AM
875     0
In short, the resolver.
The basic steps of DNSSEC resolution and validation go like this:
- First, the client requests an A record for example.com from its local validating recursive server.
- The validating recursive server follows the normal recursion path from root down to the authoritative servers of the zone for example.com.
- Next, the recursive server requests the A record from the authoritative server.
- The authoritative server answers with the A record and corresponding RRSIG A record for example.com.
- Then, the recursive server asks the example.com authoritative server for the DNSKEY record for the zone.
- The authoritative server for example.com returns the DNSKEY record and corresponding RRSIG DNSKEY record for example.com.
- Next, the recursive server asks .com for the DS record for example.com.
- The .com server responds with the DS record and corresponding RRSIG DS record for example.com.
- Then, the recursive server requests the DNSKEY record from the .com server.
- The .com server responds with the DNSKEY record and corresponding RRSIG DNSKEY record.
- Next, the recursive server requests the DS record of .com from the root servers.
- The root servers return the DS record and corresponding RRSIG DS record for .com.
- Then, the recursive server asks for the DNSKEY record for the root.
- The root server returns the DNSKEY record and the corresponding RRSIG DNSKEY record for the root.
- Finally, the recursive server uses the configured trust anchor to validate the DNSKEY record and corresponding RRSIG DNSKEY record for root. DNSSEC-aware resolvers have the necessary key for validating responses from root servers already built-in.
All of this happens on behalf of the client.
nic(at)infoblox.com