Understanding DNSSEC
DNSSEC supplements the hierarchical nature of the DNS with cryptographic characteristics that make it possible to verify the authenticity of information stored in the DNS. This validation makes it possible for resolvers to be assured that when they request a particular piece of information from the DNS, that they do in fact receive the correct information as published by the authoritative source.
This assurance is made possible using cryptographic signatures included in the DNS by a source organization. These signatures are calculated on a complete Resource Record set, not individual Resource Records. The signatures are published in a DNSSEC-specific resource record type called RRSIG. For example, setting aside the requisite infrastructure, by publishing the signature for an A record, the source organization makes it possible for resolvers on the Internet to verify that the A record contains authentic data and is correct as published. A DNS server is only signing data for which it is authoritative, for example, the DNS server does not sign NS records that delegate subdomains from its zone.
A client computer with an embedded stub resolver sets the DNSSEC OK (DO) bit to 1 in outbound queries when it wants to use DNSSEC to verify the authenticity of DNS information. When a DNSSEC enabled DNS server receives a query with DO=1, it uses locally stored or received RRSIG records to cryptographically verify the authenticity of the DNS information. The verification result is communicated to the stub resolver using the Authenticated Data (AD) bit in the DNS response; where AD=1 indicates the DNS data is authentic, and AD=0 indicates that DNSSEC verification failed.
Difference between DNS and DNSSEC
From a network perspective, DNS and DNSSEC are very similar. DNSSEC requires an expanded set of DNS capabilities, and while DNS may have worked without them, DNSSEC will not.
For example, DNSSEC message sizes will be larger than DNS messages without DNSSEC, and that is managed with the help of the EDNS. This is simply the result of additional information being contained within the DNS responses. Without DNSSEC, DNS packets are typically less than 512 bytes in length. With DNSSEC, many DNS packets will exceed 512 bytes and may approach 4096 bytes. Additionally, end-to-end EDNS must be supported to carry the DO, AD, and other DNSSEC-specific header flags.
Because of the increased packet size, DNS with DNSSEC may use TCP more often then DNS without DNSSEC.
Potential Networking Challenges with DNSSEC Deployment
The networking-specific challenges from DNSSEC are largely the result of the differences mentioned previously: increased packet sizes, EDNS requirements and the more frequent use of TCP. Many firewall devices incorrectly limit DNS responses to 512 and prohibit DNS over TCP. These challenges and potential remedies are described in the next section of this document.
https://tools.cisco.com/security/center/resources/dnssec_best_practices
In my opinion, in addition to DNSSEC validation, a good DNS server must provide EDNS, QNAME MINIMIZATION, and recursion options. So far unbound is the solution that most supports dnssec. Projects such as OpenWRT, DD-WRT, PFSense, OPNSense are already advanced in this regard.
