Your information was very helpful. Thx.


-----Original Message-----
From: [] On Behalf Of Alan Clegg
Sent: Thursday, August 28, 2008 7:42 AM
Subject: Re: Question about using DNSSEC

Mark A. Moore wrote:
> We will have to migrate to DNSSEC next year but have a quick question.
> When using DNSSEC, does it affect client machines who do normal nslookups
> against a BIND DNS server? When DNSSEC is configured, when is it used -
> only server to server communications? Been doing a lot of research and
> just trying to understand it a little more.

DNSSEC is an addition above and beyond the current DNS infrastructure.
You don't actually "migrate to" DNSSEC, you enable DNSSEC for your
zone(s) and enable DNSSEC validation on your recursive servers to
confirm that data that you get from other servers is also correct.

DNSSEC is the addition of digital signatures to your existing resource
record sets and won't change the way that any "non-DNSSEC" clients or
servers work.

What will change is the results that clients get when they send queries
to DNSSEC enabled validating recursive servers when they ask questions
that return signatures that don't match the returned RRsets.

These "changed results" mean that 1) the query has to be made to a
recursive server that is doing validation, 2) the returned answer comes
from a server that is providing DNSSEC signed results AND 3) the result
is "bad"; having been spoofed, poisoned, corrupted in transit, OR having
an expired signature.

With DNSSEC, instead of the recursive server sending back "bad data", it
responds with a SERVFAIL result.

There's lots of good information over at

ISC welcomes you (and the rest of .gov) to the world of DNSSEC