DNSSEC submit of DLV vs DNSKEY records?
dchilton+bind at bestmail.us
dchilton+bind at bestmail.us
Fri May 6 04:27:12 UTC 2011
On Fri, 06 May 2011 12:45 +1000, "Mark Andrews" <marka at isc.org> wrote:
> > > [I hope someone will correct me if I'm wrong.]
> > >
> > > My understanding: if the parent is signed, that is the only way a
> > > child zone can be validated, unless of course using trusted-keys.
> > > DLV is only done when the parent is unsigned.
> > >
> > > Off to the registrar you go!
>
> Once the parent zone is signed and is accepting DS/DNSKEY records for
> child zones there shouldn't be any need to add records to DLV.
>
> Named won't consult DLV unless there is a insecure delegation between
> the configured trust anchors and the zone. That being said other
> implementations might try DLV if validation fails on the normal
> trust path. This is a implementation choice.
all clear, now. i did NOT get that from the docs + dlv site info.
thanks!
for now it's DS/DNSKEY for me (.com, .net & .org only). just did
external verifies on my signed zones, and all's working.
DCh
More information about the bind-users
mailing list