ExtremeXOS 31.1 provides support for DNS Security Extension (DNSSEC).
DNS cache resolver feature implements a cache of DNS queries on the switch, so that repeated queries can be handled directly by the switch, rather than by repeatedly forwarding the requests to the DNS servers, which consumes time and network resources.
DNSSEC validates DNS replies and cache DNSSEC data. When forwarding DNS queries, dnsmasq requests the DNSSEC records needed to validate the replies. The replies are validated, and the result returned as the Authenticated Data bit in the DNS packet. In addition, the DNSSEC records are stored in the cache, making validation by clients more efficient. Note that validation by clients is the most secure DNSSEC mode, but for clients unable to do validation, use of the AD bit set by dnsmasq is useful, provided that the network between the dnsmasq server and the client is trusted. The nameservers upstream of dnsmasq must be DNSSEC-capable—that is, capable of returning DNSSEC records with data. If they are not, dnsmasq is not able to determine the trusted status of answers, and this means that DNS service is entirely broken
ExtremeSwitching X435, X450-G2, X460-G2, X670-G2, X440-G2, X465, X590, X620, X690, X695, X870, and 5520 series switches.
enable dns cache {dnssec}
disable dns cache {dnssec}
The following show command now shows DNSSEC status.
show dns cache configuration {{vlan} vlan_name | {vr} vr_name}