wswartzendruber Veteran
Joined: 23 Mar 2004 Posts: 1261 Location: Idaho, USA
|
Posted: Sat Jan 21, 2012 4:25 pm Post subject: Confused About How DNSSEC Works |
|
|
I've got my own router (tower machine) running BIND 9. I want to get familiar with DNSSEC, but want to first know what's actually happening. From what I gather, it uses public key authentication for signing. But I can't figure out what gets signed. Is it each individual record, a whole zone, or what? I've also read that the root zone (everything) has recently been signed. Wouldn't this require downloading every DNS record from the root resolvers just to authenticate a single lookup?
I'm so lost...
EDIT: Or perhaps authentication occurs at each level of propagation. It seems reasonable that Comcast's DNSSEC-enabled resolvers my have signed individual records themselves during transfer, and that I need to download their public key somehow. |
|