When a DNS client queries the sample record www.us.example.com, the DNS Security (DNSSEC) server running the secure zone us.example.com sends the client www.us.example.com's original A resource record (RR) with its corresponding SIG RR and the zone's KEY RR with its SIG RR. If the client is DNSSEC-enabled, it first checks the signature-validation time in the A RR's corresponding SIG RR. If the signature starting time is later than the current time or if the signature expiration time is earlier than the current time, the client rejects the A RR. If the signature-validation time is acceptable, the client then uses the public key and the algorithm in the KEY RR to verify the signature in the A RR's SIG RR.

After validating the A RR's signature, the client verifies us.example.com's public key signature (which the client used to check the integrity of the A RR). The parent zone example.com signed us.example.com's public key, so the client requests example.com's public key (if the client doesn't already have the key locally or in its cache). If the client trusts example.com's public key and thus verifies the validity of us.example.com's public key, the client then accepts that the query response is truly from us.example.com.

The verification of the signer's public key can be recursive until the client finds a trusted signer. In DNSSEC, this trusted signer could be the Internet root zone running on the Internet root DNS servers. Therefore, you should preconfigure at least one trusted key in a DNSSEC-enabled client's local computer. This key can be the Internet root zone's public key if the client trusts only the root zone.

Suppose a client queries the signed zone us.example.com for a nonexistent record, product.us.example.com. The zone us.example.com doesn't contain that record, so the DNS server instead sends the client the record ns1.us.acme.com, which is the record that falls alphabetically before the requested nonexistent record. The NXT record in ns1.us.example.com indicates that the next record is www.us.example.com. Thus, the client can ascertain that no record exists between ns1.us.example.com and www.us.example.com—product.us.example.com doesn't exist.