Query Regarding NSEC RR in DNSSEC
Chris Thompson
cet1 at cam.ac.uk
Wed Feb 15 16:14:33 UTC 2012
On Feb 14 2012, Gaurav kansal wrote:
>We have a Authenticated Response in DNSSEC through trust chain.
>
>Now my question is why we itself need a NSEC when we get response from
>DNSSEC enabled server authentically.
>
>Means, if a Record exist in DNSSEC, then it replies the answer along with
>RRSIG of that RR.
>
>AND if domain doesn't exist, then it can simply give NXDOMAIN and our job
>will be done as we trust that nameserver through trust chain.
>
>So what's the need of NSEC??????
I think what you have failed to understand here is that there is no idea
in DNSSEC of "trusting a nameserver". The security functions end-to-end,
between the zone administrator (she who generates its contents and signs
it) and the validator, not point-to-point.
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list