Mark A. Moore wrote: > We will have to migrate to DNSSEC next year but have a quick question. > When using DNSSEC, does it affect client machines who do normal nslookups > against a BIND DNS server? When DNSSEC is configured, when is it used - > only server to server communications? Been doing a lot of research and > just trying to understand it a little more.
DNSSEC is an addition above and beyond the current DNS infrastructure. You don't actually "migrate to" DNSSEC, you enable DNSSEC for your zone(s) and enable DNSSEC validation on your recursive servers to confirm that data that you get from other servers is also correct. DNSSEC is the addition of digital signatures to your existing resource record sets and won't change the way that any "non-DNSSEC" clients or servers work. What will change is the results that clients get when they send queries to DNSSEC enabled validating recursive servers when they ask questions that return signatures that don't match the returned RRsets. These "changed results" mean that 1) the query has to be made to a recursive server that is doing validation, 2) the returned answer comes from a server that is providing DNSSEC signed results AND 3) the result is "bad"; having been spoofed, poisoned, corrupted in transit, OR having an expired signature. With DNSSEC, instead of the recursive server sending back "bad data", it responds with a SERVFAIL result. There's lots of good information over at http://www.dnssec.net/ ISC welcomes you (and the rest of .gov) to the world of DNSSEC :) AlanC
