All client resolvers support DNSSEC compatible queries ???

[Carsten Strotmann]

Hello Jeronimo,

"Jeronimo L. Cabral" <jelocabral at gmail.com> writes:

> Dear, we have several hosts in our LAN that ask our BIND DNS: Debian,
> Windows 7, Red Hat and CentOS.
>
> If we implement DNSSEV validation support in our BIND9 server...how
> can I know if our hosts' resolvers are compatible with DNSSEC queries
> ???
>

client host resolvers are usually not DNSSEC aware today. Certain
applications (Browser with a DNSSEC validator plugin, postfix MTA ...)
running on a client can be DNSSEC aware.

You can enable DNSSEC validation support on a BIND 9 caching server that
is used as a resolver by your clients. BIND 9 9.9.x already comes with
DNSSEC validation enabled, for older versions you need to enable it
manually in the configuration.

Legacy (non DNSSEC aware) clients will send just regular DNS queries
towards the BIND 9 caching resolver. BIND 9 will send queries with the
"DO"-Flag (DNSSEC OK) towards the authoritative DNS server in the
network. For DNSSEC signed zones, BIND 9 will validate the DNSSEC
data. If the data is validating without issues, the data is returned to
the client as normal DNS (no DNSSEC). If the data fails to validate, the
bad data is not send to the clients, instead a "SERVFAIL" error message
is send to the client.

DNSSEC is backwards compatible in the sense that you can enable DNSSEC
validation without the need to make changes to legacy clients.

Windows 7 and Windows 8 clients can build a special trust relationship
with an AD integrated Windows DNS Server to secure the "last mile"
between the client and the resolving DNS cache. However to my knowledge
this is not possible with Windows and a BIND 9 DNS.

Best regards

Carsten