Skip to content

Commit bd36c34

Browse files
prmerger-automator[bot]prmerger-automator[bot]
authored
Merge pull request #306757 from jonbeck7/patch-5
Update DNSSEC documentation with RFC 9824 details - Removing VRF
2 parents 157e583 + c84bad6 commit bd36c34

1 file changed

Lines changed: 2 additions & 1 deletion

File tree

articles/dns/dnssec.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@ The core DNSSEC extensions are specified in the following Request for Comments (
2626
* [RFC 4033](https://datatracker.ietf.org/doc/html/rfc4033): "DNS Security Introduction and Requirements"
2727
* [RFC 4034](https://datatracker.ietf.org/doc/html/rfc4034): "Resource Records for the DNS Security Extensions"
2828
* [RFC 4035](https://datatracker.ietf.org/doc/html/rfc4035): "Protocol Modifications for the DNS Security Extensions"
29+
* [RFC 9824](https://datatracker.ietf.org/doc/rfc9824): "Compact Denial of Existence in DNSSEC"
2930

3031
For a summary of DNSSEC RFCs, see [RFC9364](https://www.rfc-editor.org/rfc/rfc9364): DNS Security Extensions (DNSSEC).
3132

@@ -68,7 +69,7 @@ The type of DNS resource record that is spoofed depends on the type of DNS hijac
6869

6970
DNSSEC works to prevent DNS hijacking by performing validation on DNS responses. In the DNS hijacking scenario pictured here, the client device can reject non-validated DNS responses if the contoso.com domain is signed with DNSSEC. To reject non-validated DNS responses, the client device must enforce [DNSSEC validation](#dnssec-validation) for contoso.com.
7071

71-
DNSSEC includes a VRF-based mechanism defined in [RFC 9824](https://www.rfc-editor.org/rfc/rfc9824.html), to prevent zone enumeration. Zone enumeration, also known as zone walking, is an attack whereby an attacker attempts to build a list of all names in a zone, including child zones.
72+
Azure DNS DNSSEC implemented [RFC 9824](https://www.rfc-editor.org/rfc/rfc9824.html), to prevent zone enumeration. Zone enumeration, also known as zone walking, is an attack whereby an attacker attempts to build a list of all names in a zone, including child zones.
7273

7374
Before you sign a zone with DNSSEC, be sure to understand [how DNSSEC works](#how-dnssec-works). When you are ready to sign a zone, see [How to sign your Azure Public DNS zone with DNSSEC](dnssec-how-to.md).
7475

0 commit comments

Comments
 (0)