Secondary DNS supports zones that contain DNSSEC records. This allows DNSSEC records to be imported into the corresponding secondary zone.
A brief description for the supported set of DNSSEC records is provided below.
Name | Description |
---|---|
RRSIG |
Provides the DNSSEC signature through which DNS data is authenticated. |
DNSKEY |
Provides the public key through which a DNS resolver verifies the DNSSEC signature in a RRSIG record. |
DS |
Identifies a sub-delegated zone by its name. It also identifies a DNSKEY record in the sub-delegated zone. |
NSEC |
Indicates the next secured record in the zone by name. It also indicates the type of records in the zone that have been assigned that name. A DNS resolver uses this record to verify that a record of a specific name and type does not exist within a zone. |
NSEC3 |
Indicates the next secured record in the zone by hashed name. It also indicates the type of records in the zone that have been assigned that name. A DNS resolver uses this record to verify that a record of a specific name and type does not exist within a zone. |
NSEC3PARAM |
Allows Authoritative DNS servers to determine the set of NSEC3 records to include in response to DNSSEC requests for a record that does not exist. |
DLV |
The DNSSEC Lookaside Validation registry record publishes DNSSEC trust anchors outside of the standard DNS delegation chain. This allows a DNS resolver to validate DNSSEC records via an alternative chain of trust. |