On Feb 14 2012, Gaurav kansal wrote:
We have a Authenticated Response in DNSSEC through trust chain.
Now my question is why we itself need a NSEC when we get response from
DNSSEC enabled server authentically.
Means, if a Record exist in DNSSEC, then it replies the answer along with
RRSIG of that RR.
AND if domain doesn't exist, then it can simply give NXDOMAIN and our job
will be done as we trust that nameserver through trust chain.
So what's the need of NSEC??????
I think what you have failed to understand here is that there is no idea
in DNSSEC of "trusting a nameserver". The security functions end-to-end,
between the zone administrator (she who generates its contents and signs
it) and the validator, not point-to-point.
--
Chris Thompson
Email: c...@cam.ac.uk
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
