In short, the resolver.
The basic steps of DNSSEC resolution and validation go like this:
- First, the client requests an A record for example.com from its local validating recursive server.
- The validating recursive server follows the normal recursion path from root down to the authoritative servers of the zone for example.com.
- Next, the recursive server requests the A record from the authoritative server.
- The authoritative server answers with the A record and corresponding RRSIG A record for example.com.
- Then, the recursive server asks the example.com authoritative server for the DNSKEY record for the zone.
- The authoritative server for example.com returns the DNSKEY record and corresponding RRSIG DNSKEY record for example.com.
- Next, the recursive server asks .com for the DS record for example.com.
- The .com server responds with the DS record and corresponding RRSIG DS record for example.com.
- Then, the recursive server requests the DNSKEY record from the .com server.
- The .com server responds with the DNSKEY record and corresponding RRSIG DNSKEY record.
- Next, the recursive server requests the DS record of .com from the root servers.
- The root servers return the DS record and corresponding RRSIG DS record for .com.
- Then, the recursive server asks for the DNSKEY record for the root.
- The root server returns the DNSKEY record and the corresponding RRSIG DNSKEY record for the root.
- Finally, the recursive server uses the configured trust anchor to validate the DNSKEY record and corresponding RRSIG DNSKEY record for root. DNSSEC-aware resolvers have the necessary key for validating responses from root servers already built-in.
All of this happens on behalf of the client.
443 
0
