Subdomain DNSSEC
Warren Kumari
warren at kumari.net
Mon Aug 28 17:28:20 UTC 2017
On Mon, Aug 28, 2017 at 12:25 PM, Niall O'Reilly <niall.oreilly at ucd.ie> wrote:
> On 28 Aug 2017, at 17:06, Michael Dahlberg wrote:
>
>> My apologies if this question has an easily discoverable answer but my
>> google-fu seems to be failing me today.
>
>
> Try "insecure delegation" against your favourite search engine.
> Here's an example of what searching for this gave me (from DuckDuckGo
> rather than Google):
>
> https://stackoverflow.com/questions/25674236/how-to-create-delegation-signer-ds-record-for-a-subdomain-with-powerdns
>
>> If a domain is signed, is it possible to delegate a subdomain to a 3rd
>> party who is unable to sign that subdomain?
>
>
> Yes. You need NS records as has always been the case. By simply not
> adding a DS
> record, you signal an insecure delegation.
Yup, exactly -- take .com as an example -- it is a signed zone, but
there are a large number of unsigned subdomains in it.
W
>
> You may have problems if the two sets of name servers (for parent and
> child zones)
> overlap.
>
> Best regards,
> Niall O'Reilly
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
---maf
More information about the bind-users
mailing list