Validating a DNSSEC installation
Mark Andrews
marka at isc.org
Fri Jun 12 03:25:03 UTC 2009
In message <20090612025851.GA23611 at frell.ambush.de>, Hauke Lampe writes:
> On Fri, Jun 12, 2009 at 04:29:11 +0200, Hauke Lampe wrote:
>
> > Future reference: Once .org completes their testing phase *and* your
> > registrar allows you to register DS records for your domain, queries
> > should also return AD when validated against the ITAR trust anchor
> > repository (at https://itar.iana.org/):
> >
> > dig +adflag lotspeich.org @149.20.64.22
>
> I got that one wrong. My apologies. That resolver uses IANA's version of a
> signed root (https://ns.iana.org/), not ITAR.
>
> Personally, I don't expect to add DS records for my .org domains within the
> next two or three years, anyway. By the time the domain registration
> services I use add working DS support, the root zone could possibly already
> be signed.
The root is supposed to be signed by the end of the year.
IANA is already collecting DS / DNSKEY records for inclusion
in the signed root.
A compentent registrar would be looking to add support for
DS records now as once the root is signed there is no longer
any real excuse to delay anymore.
Similarly there is no excuse for not accepting AAAA as glue
these days.
Mark
> Hauke.
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list