isc trust anchor
Tony Finch
dot at dotat.at
Wed Sep 15 16:16:54 UTC 2010
On Wed, 15 Sep 2010, sami's strat wrote:
>
> a.us is (dnssec) signed and the parent domain has a copy of the DS keys.
> Is there a way to have host.b.com run dnssec aware queries against a.us?
You don't need or want the ISC DLV trust anchor for that, since there is a
chain of trust to the root and it's better to use the root trust anchor
when you can. The DLV should be used to fill the gaps where it isn't
possible to form a chain of trust to the root (e.g. an unsigned parent or
a parent that doesn't yet accept DS records.)
Here's a quick guide to setting up DNSSEC validation with bind-9.7:
http://fanf.livejournal.com/107310.html
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO 7,
DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR
ROUGH. RAIN THEN FAIR. GOOD.
More information about the bind-users
mailing list