DNSSEC validation works with DLV, but not with just trusted-key
Alan Clegg
aclegg at isc.org
Wed Nov 25 15:54:08 UTC 2009
Hanno Böck wrote:
> Am Mittwoch 25 November 2009 schrieb Alan Clegg:
>> There is no DS record for dnssec-tools.org in .org (chain of trust is
>> broken), so you can't validate the response -- thus the data being
>> passed back to you.
>
> Ok, that explains it.
>
> Are there any example domains with known-broken dnssec records with a full
> trust chain?
I've been meaning to set some up, but at this moment, I'm not aware of any.
Setting up your trust-anchor with the DNSKEY from dnssec-tools.org would
be only one level worse than using the DNSKEY from .org
Setting up validator using the key from dnssec-tools.org should be able
to prove your point...
AlanC
More information about the bind-users
mailing list