Confused About How DNSSEC Works

wswartzendruber · Posted: Sat Jan 21, 2012 4:25 pm Post subject: Confused About How DNSSEC Works

I've got my own router (tower machine) running BIND 9. I want to get familiar with DNSSEC, but want to first know what's actually happening. From what I gather, it uses public key authentication for signing. But I can't figure out what gets signed. Is it each individual record, a whole zone, or what? I've also read that the root zone (everything) has recently been signed. Wouldn't this require downloading every DNS record from the root resolvers just to authenticate a single lookup?

I'm so lost...

EDIT: Or perhaps authentication occurs at each level of propagation. It seems reasonable that Comcast's DNSSEC-enabled resolvers my have signed individual records themselves during transfer, and that I need to download their public key somehow.

massimo · Veteran Joined: 22 Jun 2003 Posts: 1226

[1] will help you for starters.

[1] http://www.nlnetlabs.nl/publications/dnssec_howto/
_________________
Hello 911? How are you?