Query Regarding NSEC RR in DNSSEC

Spain, Dr. Jeffry A. spainj at countryday.net
Tue Feb 14 18:31:45 UTC 2012

> We have a Authenticated Response in DNSSEC through trust chain.
> Now my question is why we itself need a NSEC when we get response from DNSSEC enabled server authentically.

> Means, if a Record exist in DNSSEC, then it replies the answer along with RRSIG of that RR. 
> AND if domain doesn't exist, then it can simply give NXDOMAIN and our job will be done as we trust that nameserver through trust chain.
> So what's the need of NSEC??????

Be sure you are not confusing the roles of your stub resolver and the recursive resolver to which it is sending its queries. The recursive resolver needs to analyze DNSSEC data that it gets from various authoritative servers and from its cache. These include DS, DNSKEY, RRSIG, and NSEC records. It then returns an answer to your stub resolver with the AD flag if DNSSEC validation succeeds, or an NXDOMAIN response if DNSSEC validation fails. Your stub resolver doesn't need to see any of the DNSSEC records used in the validation process, but the recursive resolver can't do without them for purposes of DNSSEC validation.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

More information about the bind-users mailing list