0

I read a few articles on how DNSSec works (here and here).

The DNSSec request are not encrypted, and I wanted to know if it's possible to encapsulate it into a DoH or a DoT request?

Warok
  • 125
  • 1
  • 5

1 Answers1

1

DNSSec requests are normal DNS requests with the DO (DNSSec OK) flag set. DNSSec responses are also normal DNS responses which also include records (RRSIG) related to DNSSec.

DoH and DoT both simply send the original binary DNS request and response inside a TLS connection (DoT) or as body or query string inside a HTTPS connection (DoH). DoH can additionally send the DNS messages as JSON which essentially can do the same as the binary representation, only with more buzzwords triggered, more bandwidth needed and more overhead in processing.

There are no restrictions by DoT or DoH what kind of DNS messages can be sent. This means that DNSSec can also be done with DoT and DoH.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434