Signed root - missing RRSIG for delegation?
Niobos
niobos at dest-unreach.be
Fri Jul 16 11:42:41 UTC 2010
On 2010-07-16 12:36, Alan Clegg wrote:
> .net isn't signed, and you don't sign "out-of-zone" data (glue and
> delegation NS records).
But org. is signed, and gives the same result.
But anyway, it basically boils down to:
> On 7/16/2010 6:25 AM, Niobos wrote:
>> It's probably just my lack of knowledge
Trying to enhance that: Am I correct to state that it's not possible to
validate a delegation NS RRset?
You can only validate it indirectly by checking if the DS at the parent
matches the DNSKEY in the (presumed) child.
It appears that DNSSEC was designed to verify from the QNAME back up to
the root. I was trying to do it the other way around, hence my confusion.
thx,
Niobos
More information about the bind-users
mailing list