How many additional DNS queries are needed when DNSSEC integrity checks are added?
How many additional DNS queries are needed when DNSSEC integrity checks are added?
When DNSSEC (Domain Name System Security Extensions) integrity checks are added, additional DNS queries are needed to fetch DNSKEY and DS records that are necessary to verify the authenticity and integrity of DNS data. Typically, two extra queries are required: one for the DNSKEY record, which contains the public key necessary to verify the digital signature, and one for the DS (Delegation Signer) record, which links the DNSKEY record in a child zone to a DS record in the parent zone. Therefore, two additional DNS queries are needed.
When DNSSEC integrity checks are added, an additional two DNS queries are needed. DNSSEC (Domain Name System Security Extensions) is a set of security extensions to the Domain Name System (DNS) that provide authentication and integrity for DNS data. When DNSSEC is used, additional DNS queries are needed in order to verify the authenticity and integrity of DNS records. This involves querying additional DNS resource records, such as the DNSKEY and DS records, which are used to verify the digital signatures on DNS data. As a result, two additional DNS queries are typically needed when DNSSEC is used, in addition to the initial query for the DNS data itself.
correct me if i'm wrong but with DNSsec the recursive DNS has to query public keys to verify signature, right ? So, zero from a client point of view (only one query to his recursive DNS server) but many if count all needed queries
B. Zero
Answer is C. One.
One. DNSSEC adds an extra DNS query to fetch the digital signatures necessary for verifying the authenticity and integrity of the DNS data.
DNSSEC is designed so that the extra security-related records (such as RRSIG, DNSKEY, and DS) are returned alongside the standard DNS responses. This integration means that the resolver does not need to issue any additional DNS queries beyond the original request.