DNSSEC submit of DLV vs DNSKEY records?
Mark Andrews
marka at isc.org
Fri May 6 02:45:17 UTC 2011
In message <1304628473.25384.1448737669 at webmail.messagingengine.com>, dchilton+
bind at bestmail.us writes:
> "missed it by THAT much ...". thx! relocating to bind-users.
>
> On Thu, 05 May 2011 14:37 -0500, "/dev/rob0" <rob0 at gmx.co.uk> wrote:
> > FWIW I think you hit the wrong list. Did you mean bind-users at isc?
>
>
> > On Thu, May 05, 2011 at 12:25:27PM -0700, dchilton+bind at bestmail.us
> > wrote:
> > > after signing my zones with 'dnssec-signzone', i 've got both
> > >
> > > dsset-domain.com
> > > dlvset-domain.com
> > >
> > > containing DS- and DLV-records, respectively.
> > >
> > > i know i *can* submit the records to my registrar (DS records)
> > > and dlv.isc.org (DLV records), but should I do both?
> > >
> > > i'm not clear if these are redundant mechs for getting to a
> > > 'valid' DNSSEC state, or complementary.
> > >
> > > can anyone clarify -- both or just one? and if just one, which
> > > one?
> >
> > [I hope someone will correct me if I'm wrong.]
> >
> > My understanding: if the parent is signed, that is the only way a
> > child zone can be validated, unless of course using trusted-keys.
> > DLV is only done when the parent is unsigned.
> >
> > Off to the registrar you go!
Once the parent zone is signed and is accepting DS/DNSKEY records for
child zones there shouldn't be any need to add records to DLV.
Named won't consult DLV unless there is a insecure delegation between
the configured trust anchors and the zone. That being said other
implementations might try DLV if validation fails on the normal
trust path. This is a implementation choice.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list