DNSSEC DSSET & KEYSET
prock111 at yahoo.com
prock111 at yahoo.com
Thu Jan 28 15:57:18 UTC 2010
That was very helpful. Thanks.
One last query. For signed domains registered with and using ISC.ORG trust anchor, is there a sanity check similar to what you displayed below?
--- On Thu, 1/28/10, Evan Hunt <each at isc.org> wrote:
> From: Evan Hunt <each at isc.org>
> Subject: Re: DNSSEC DSSET & KEYSET
> To: "prock111 at yahoo.com" <prock111 at yahoo.com>
> Cc: "Florian Weimer" <fweimer at bfk.de>, bind-users at lists.isc.org
> Date: Thursday, January 28, 2010, 10:42 AM
>
> > Is there a tool/process to verify if the parenet
> domain has DSSET,
> > KEYSET, or keys in place for the child domain?
> Thanks.
>
> "dig ds <yourdomain>", and check that a) DS records
> are returned, and
> B) the first field of at least some of the DS records match
> the key ID of
> the key-signing key for your zone. For example,
> isc.org is using key 12892:
>
> $ dig +short ds isc.org
> 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
> 12892 5 2
> F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D
> E18DA6B5
>
> ...so we're fine.
>
> And of course, you could also configure a validating
> resolver (or drill
> or dig +sigchase) with a trust anchor for the parent, and
> make sure the
> validation process works.
>
> --
> Evan Hunt -- each at isc.org
> Internet Systems Consortium, Inc.
>
More information about the bind-users
mailing list