dig +dnssec option

Jim Reid jim at rfc1035.com
Tue Oct 12 16:02:04 UTC 2004

>>>>> "Jeff" == Jeff Stevens <jstevens at vnet.ibm.com> writes:

    Jeff> It is not obvious to me that DNSSEC needs EDNS as there is
    Jeff> no mention of EDNS in the DNSSEC RFC2535.  Is there some
    Jeff> reason the EDNS feature gets used by calling out the +dnssec
    Jeff> option? 

The +dnssec option to dig tells it to set the DO (DNSSEC OK) bit which
is in the EDNS0 OPT header. The DO bit is used to tell a server that
the client is DNSSEC-aware and, by implication, is willing to receive
DNSSEC RRtypes. RFC3225 -- Indicating Resolver Support of DNSSEC --
documents this.

DNSSEC-signed responses are *much* bigger than conventional DNS
replies because of the extra (and large) RR types that get returned:
RRSIGs, NSECs, DNSKEYs. These records and their associated data mean
the 512 byte limit on "normal" UDP replies is easily exceeded. So
rather than send truncated responses which result in retried queries
over TCP, it's best to use EDNS0. Clients can then tell the server
that they're able and willing to accept UDP replies bigger than 512
bytes. This is a Big Win for everyone. Most, if not all, clients that
are DNSSEC-aware will support EDNS0 anyway.

More information about the bind-users mailing list