Windows dns reverse lookup zone not updating
To implement DNSSEC, several new DNS record types were created or adapted to use with DNSsec: Contains a link to the next record name in the zone and lists the record types that exist for the record's name.
DNS Resolvers use NSEC records to verify the non-existence of a record name and type as part of DNSSEC validation.
The RRSIG record is a digital signature of the answer DNS resource record set.
The digital signature is verified by locating the correct public key found in a DNSKEY record.
Other standards (not DNSSEC) are used to secure bulk data (such as a DNS zone transfer) sent between DNS servers.
As documented in IETF RFC 4367, some users and developers make false assumptions about DNS names, such as assuming that a company's common name plus ".com" is always its domain name.
Microsoft Windows uses a stub resolver, and Windows Server 2008 R2 and Windows 7 in particular use a non-validating but DNSSEC-aware stub resolver.
Using the chain of trust model, a Delegation Signer (DS) record in a parent domain (DNS zone) can be used to verify a DNSKEY record in a subdomain, which can then contain other DS records to verify further subdomains.
DNSSEC was designed to be extensible so that as attacks are discovered against existing algorithms, new ones can be introduced in a backward-compatible fashion.
Say that a recursive resolver such as an ISP name server wants to get the IP addresses (A record and/or AAAA records) of the domain " First, if "example.com" does not support DNSSEC, there will be no RRSIG record in the answer and there will not be a DS record for "example.com" in the "com" zone.
If there is a DS record for "example.com", but no RRSIG record in the reply, something is wrong and maybe a man in the middle attack is going on, stripping the DNSSEC information and modifying the A records.
DNSSEC does not provide confidentiality of data; in particular, all DNSSEC responses are authenticated but not encrypted.
DNSSEC does not protect against Do S attacks directly, though it indirectly provides some benefit (because signature checking allows the use of potentially untrustworthy parties; this is true only if the DNS server is using a self-signed certificate,not recommended for Internet-facing DNS servers).DNSSEC cannot protect against false assumptions; it can only authenticate that the data is truly from or not available from the domain owner.