# Confused About How DNSSEC Works

## wswartzendruber

I've got my own router (tower machine) running BIND 9.  I want to get familiar with DNSSEC, but want to first know what's actually happening.  From what I gather, it uses public key authentication for signing.  But I can't figure out what gets signed.  Is it each individual record, a whole zone, or what?  I've also read that the root zone (everything) has recently been signed.  Wouldn't this require downloading every DNS record from the root resolvers just to authenticate a single lookup?

I'm so lost...

EDIT:  Or perhaps authentication occurs at each level of propagation.  It seems reasonable that Comcast's DNSSEC-enabled resolvers my have signed individual records themselves during transfer, and that I need to download their public key somehow.

----------

## massimo

[1] will help you for starters.

[1] http://www.nlnetlabs.nl/publications/dnssec_howto/

----------

