Using Domain Name System Security Extensions In A Mixed-Mode Environment

What is claimed is: 1 . A method comprising: generating, by a processing device executing a DNS resolver, a first domain name system (DNS) query comprising a DNS request generated from an application executing on the processing device to query a first DNS server serving a first DNS zone connected to the processing device via a public network; receiving, from the first DNS server, a first resource record comprising a DNS answer to the DNS query, a second resource record comprising a digital signature generated by signing the DNS answer with a first private key of the first DNS zone, a third resource record comprising a first public key for verifying the digital signature, and one or more files for validating a chain of trust of the first public key; determining, by the processing device in view of the one or more files, that the chain of trust of the first public key misses at least one of a trust anchor or a link in the chain of trust; and generating a second DNS query comprising the DNS request to query a second DNS server residing in a private network of the processing device. 2 . The method of claim 1 , wherein the first DNS server and the DNS resolver are enabled with domain name system security extensions (DNSSEC), and the second DNS server is not enabled with the DNSSEC. 3 . The method of claim 1 , further comprising: in response to determining that the chain of trust of the first public key misses at least one of a trust anchor or a link in the chain of trust, disabling DNSSEC capability of the DNS resolver; and returning a result from the second DNS server to the application. 4 . The method of claim 1 , wherein the one of more files comprise a first file comprising a name of a second DNS server delegated by the first DNS server serving a second DNS zone and a second file comprising a second public key. 5 . The method of claim 4 , wherein the third resource record comprises the first public key is signed with the second private key, and wherein the second public key is capable of verifying the signed third resource record. 6 . The method of claim 4 , wherein determining that the chain of trust of the first public key misses the link comprises determining that the third file is missing. 7 . The method of claim 4 , wherein the trust anchor is a starting point of the chain of trust, and the trust anchor is obtained from a root DNS zone in a DNS hierarchy comprising the first and second DNS zones. 8 . The method of claim 4 , wherein the first private key and the first public key form a zone signing key pair for the first zone, and the second private key and the second public form a key signing key pair. 9 . A non-transitory machine-readable storage medium storing instructions which, when executed, cause a processing device to: generate, by the processing device executing a DNS resolver, a first domain name system (DNS) query comprising a DNS request generated from an application executing on the processing device to query a first DNS server serving a first DNS zone connected to the processing device via a public network; receive, from the first DNS server, a first resource record comprising a DNS answer to the DNS query, a second resource record comprising a digital signature generated by signing the DNS answer with a first private key of the first DNS zone, a third resource record comprising a first public key for verifying the digital signature, and one or more files for validating a chain of trust of the first public key; determine, by the processing device in view of the one or more files, that the chain of trust of the first public key misses at least one of a trust anchor or a link in the chain of trust; and generate a second DNS query comprising the DNS request to query a second DNS server residing in a private network of the processing device. 10 . The machine-readable storage medium of claim 9 , wherein the first DNS server and the DNS resolver are enabled with domain name system security extensions (DNSSEC), and the second DNS server is not enabled with the DNSSEC. 11 . The machine-readable storage medium of claim 9 , wherein the processing device is further to: in response to determining that the chain of trust of the first public key misses at least one of a trust anchor or a link in the chain of trust, disable DNSSEC capability of the DNS resolver; and return a result from the second DNS server to the application. 12 . The machine-readable storage medium of claim 9 , wherein the one of more files comprise a first file comprising a name of a second DNS server delegated by the first DNS server serving a second DNS zone and a second file comprising a second public key. 13 . The machined-readable storage medium of claim 12 , wherein the third resource record comprises the first public key is signed with the second private key, and wherein the second public key is capable of verifying the signed third resource record. 14 . The machined-readable storage medium of claim 12 , wherein determining that the chain of trust of the first public key misses the link comprises determining that the third file is missing. 15 . The machine-readable storage medium of claim 9 , wherein the trust anchor is a starting point of the chain of trust, and the trust anchor is obtained from a root DNS zone in a DNS hierarchy comprising the first and second DNS zones. 16 . A system, comprising: a memory; and a processing device, communicatively coupled to the memory, to: generate, by the processing device executing a DNS resolver, a first domain name system (DNS) query comprising a DNS request generated from an application executing on the processing device to query a first DNS server serving a first DNS zone connected to the processing device via a public network; receive, from the first DNS server, a first resource record comprising a DNS answer to the DNS query, a second resource record comprising a digital signature generated by signing the DNS answer with a first private key of the first DNS zone, a third resource record comprising a first public key for verifying the digital signature, and one or more files for validating a chain of trust of the first public key; determine, by the processing device in view of the one or more files, that the chain of trust of the first public key misses at least one of a trust anchor or a link in the chain of trust; and generate a second DNS query comprising the DNS request to query a second DNS server residing in a private network of the processing device. 17 . The system of claim 16 , wherein the first DNS server and the DNS resolver are enabled with domain name system security extensions (DNSSEC), and the second DNS server is not enabled with the DNSSEC. 18 . The system of claim 16 , wherein the one of more files comprise a first file comprising a name of a second DNS server delegated by the first DNS server serving a second DNS zone and a second file comprising a second public key. 19 . The system of claim 18 , wherein the third resource record comprises the first public key is signed with the second private key, and wherein the second public key is capable of verifying the signed third resource record. 20 . The system of claim 18 , wherein determining that the chain of trust of the first public key misses the link comprises determining that the third file is missing.