How many additional DNS queries are needed when DNSSEC integrity checks are added?

B.

DNSSEC does not require any additional DNS queries to be performed.

The DNSSEC integrity checks and validations are all performed as part of the single DNS lookup resolution.

DNSSEC (Domain Name System Security Extensions) is a set of protocols used to add security to the Domain Name System (DNS) by digitally signing DNS data.

When DNSSEC integrity checks are added, additional DNS queries are needed to verify the digital signatures and ensure the authenticity of DNS data.

The number of additional DNS queries required depends on the type of DNSSEC deployment:

1. NSEC: When using the NSEC (Next Secure) protocol, the number of additional DNS queries required is two. This is because NSEC uses a chain of authenticated denial-of-existence records that prove that a requested domain name does not exist. To verify the authenticity of the NSEC chain, two additional DNS queries are required.

2. NSEC3: When using the NSEC3 (Next Secure version 3) protocol, the number of additional DNS queries required is one. This is because NSEC3 uses a hashed chain of authenticated denial-of-existence records that prove that a requested domain name does not exist. To verify the authenticity of the NSEC3 chain, one additional DNS query is required.

Therefore, the correct answer to the question is option D, two additional DNS queries are needed when using NSEC, and one additional DNS query is needed when using NSEC3. Option B, zero, is not correct because DNSSEC integrity checks require additional DNS queries to verify the digital signatures. Option A, three, and option C, one, are not correct as they do not accurately reflect the number of additional DNS queries required for DNSSEC integrity checks.