> We have a Authenticated Response in DNSSEC through trust chain.
> Now my question is why we itself need a NSEC when we get response from DNSSEC 
> enabled server authentically.

> Means, if a Record exist in DNSSEC, then it replies the answer along with 
> RRSIG of that RR. 
> AND if domain doesn't exist, then it can simply give NXDOMAIN and our job 
> will be done as we trust that nameserver through trust chain.
> So what's the need of NSEC??????

Be sure you are not confusing the roles of your stub resolver and the recursive 
resolver to which it is sending its queries. The recursive resolver needs to 
analyze DNSSEC data that it gets from various authoritative servers and from 
its cache. These include DS, DNSKEY, RRSIG, and NSEC records. It then returns 
an answer to your stub resolver with the AD flag if DNSSEC validation succeeds, 
or an NXDOMAIN response if DNSSEC validation fails. Your stub resolver doesn't 
need to see any of the DNSSEC records used in the validation process, but the 
recursive resolver can't do without them for purposes of DNSSEC validation.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to