DNSSEC and forward zones
Phil Mayers
p.mayers at imperial.ac.uk
Tue Nov 1 20:02:31 UTC 2011
On 11/01/2011 06:34 PM, Scott Morizot wrote:
> Alternatively, you can sign 'policydomain.internal' and configure its key
> as one of the trust anchors on the validating name servers. The order of
> validation is, if I recall correctly, locally configured trust anchors,
> then chain of trust from root, and finally DLVs. So doing that should
> provide a successful validation for the domain.
So presumably you could also follow Lyle's suggestion - have a local
"private" zone, signed, with a local trust anchor and an *in*secure
delegation to "policydomain.internal"?
More information about the bind-users
mailing list