DNS signature verification (for BIND 9.2.3)

[Jim Reid]

>>>>> "nishant" == nishant  <nishant80 at gmail.com> writes:

    nishant> I have read that: when a query is issued with DNSSEC
    nishant> option enabled, the response obtained is found to have a
    nishant> SIG record and a KEY record. These records are used to
    nishant> authenticate the sender by decrypting the SIG record.

Not quite. The record types are now called DNSKEY and RRSIG in the
latest DNSSEC drafts. You'll find them on the IETF web site. And
there's no encryption or decryption going on. Resource records are
signed using public key crypto and a DNSSEC-aware client should be
able to validate those signatures.

    nishant> The query is: how is this done? and, Where in code can i
    nishant> find the encryption and decryption being done for the
    nishant> same?

dnssec-signzone generates a signed version of a zone. In BIND9,
validation of these signatures is done using the openssl crypto code.
The guts of the DNSSEC validation code is in lib/dns/validator.c

There was a discussion about how to setup DNSSEC in this list a few
weeks ago. I recommend you check the list archives for more info and
pointers to websites that may help you.