DNSSEC DSSET & KEYSET
prock111 at yahoo.com
prock111 at yahoo.com
Thu Jan 28 15:26:01 UTC 2010
Is there a tool/process to verify if the parenet domain has DSSET, KEYSET, or keys in place for the child domain? Thanks.
--- On Thu, 1/28/10, Florian Weimer <fweimer at bfk.de> wrote:
> From: Florian Weimer <fweimer at bfk.de>
> Subject: Re: DNSSEC DSSET & KEYSET
> To: "prock111 at yahoo.com" <prock111 at yahoo.com>
> Cc: bind-users at lists.isc.org
> Date: Thursday, January 28, 2010, 10:17 AM
> * prock:
>
> > In a DNSSEC compliant world (I know we're not there
> yet) we need to
> > give a copy of our DSSET and KEYSET to our parent
> domain. Please
> > confirm that is an accurate statement.
>
> Parent zone policies vary. Some require DS RRs, some
> DNSKEY RRs.
> Demanding DNSKEY RRs can prolong the life of signature
> schemes with
> certain weaknesses (which might be helpful at some point in
> the
> future).
>
> --
> Florian Weimer
> <fweimer at bfk.de>
> BFK edv-consulting GmbH http://www.bfk.de/
> Kriegsstraße 100
> tel: +49-721-96201-1
> D-76133 Karlsruhe
> fax: +49-721-96201-99
>
More information about the bind-users
mailing list