This document describes how the DNS security extensions use public
key cryptography to sign and authenticate DNS resource record sets.
Please see [RFC4033] for terminology and general security
considerations related to DNSSEC; see [RFC4034] for considerations
specific to the DNSSEC resource record types.
An active attacker who can set the CD bit in a DNS query message or
the AD bit in a DNS response message can use these bits to defeat the
protection that DNSSEC attempts to provide to security-oblivious
recursive-mode resolvers. For this reason, use of these control bits
by a security-aware recursive-mode resolver requires a secure
channel. See Sections 3.2.2 and 4.9 for further discussion.
The protocol described in this document attempts to extend the
benefits of DNSSEC to security-oblivious stub resolvers. However, as
recovery from validation failures is likely to be specific to
particular applications, the facilities that DNSSEC provides for stub
resolvers may prove inadequate. Operators of security-aware
recursive name servers will have to pay close attention to the
behavior of the applications that use their services when choosing a
local validation policy; failure to do so could easily result in the
recursive name server accidentally denying service to the clients it
is intended to support.
