dnssec dlv
Chris Thompson
cet1 at cam.ac.uk
Fri May 21 16:04:16 UTC 2010
On May 21 2010, itservices88 wrote:
>I heard that root zone will be signed (or is already signed),
It's in DURZ mode. Read all about it at http://www.root-dnssec.org/
> so what
>changes would be required with respect to the current additions of adding
>dlv.isc.org as trust anchor and its associated trusted key ? Do we need to
>keep the isc dlv ? or add a new key for the root ?
I don't know whether ISC are planning to add a DLV record for the
root to the isc.dlv.org zone. (When I asked on another list whether
that would work, Mark Andrews told me "of course it would".) If
not, then it will certainly be desirable to add a trust anchor
for the root zone, as (for example) the IANA ITAR will stop being
imported into dlv.isc.org at some point, as it will cease to exist.
But large parts of the DNS tree will remain disconnected from the
root vis-a-vis DNSSEC, for quite a while, so you should plan to keep
using dlv.isc.org as well. (I am assuming you are not opposed to DLV
in principle if you are already using it...] I would plan to review
the situation in mid-2011 after "com" has been signed for a decent
length of time.
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list