DNSSEC Components
The DNSSEC relies on signed zones, which is a zone whose records are signed as defined by RFC 4035. A signed zone contains one or more of the new DNSEC record types, which are DNSKEY, NSEC, RRSIG, and DS records. These records allow DNS data to be validated by resolvers.
Zone Signing Key (ZSK) is the encryption key used to sign the zone, essentially a public and private key combination stored in a certificate. The Key Signing Key (KSK) is the key used to sign the ZSK to validate it, essentially a public and private key combination as well.
The DNSKEY record is a DNSSEC record type used to store a public key. The KSK and the ZSK public keys are stored in the DNSKEY records to allow the zone signatures to be validated.
The Next ...
Get Windows Server® 2012 Unleashed now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
