Protocol Modifications for the DNS Security Extensions
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/entity//" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/entity//Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/entity//)Use the native HTML custom element.
R. Arends, R. Austein, M. Larson, D. Massey, S. Rose · 2005-03
Abstract
RFC 4035 defines the protocol changes required to implement DNSSEC, including the behavior of security-aware resolvers, authoritative name servers, and recursive name servers. It specifies how DNSSEC-enabled resolvers request and validate signed DNS responses using the DO bit, how NSEC records prove non-existence of DNS names, and the chain of trust from the DNS root through zone delegations using Delegation Signer (DS) records.
Why This RFC Matters
RFC 4035 is the operational specification that makes DNSSEC work in practice, defining precisely how validators build and verify the chain of trust from the DNSSEC root (signed in 2010) through TLD operators to individual domain zones. The chain-of-trust model — where each DS record in a parent zone vouches for the DNSKEY in the child zone — is an elegant application of public-key infrastructure to a distributed system. RFC 4035 also introduced the NSEC record type for authenticated denial of existence, later improved by NSEC3 (RFC 5155) to prevent zone enumeration. Together with RFC 4033 and RFC 4034, RFC 4035 forms the core DNSSEC specification that all DNSSEC-validating resolvers implement.