DNSSEC submit of DLV vs DNSKEY records?
/dev/rob0
rob0 at gmx.co.uk
Thu May 5 19:37:23 UTC 2011
FWIW I think you hit the wrong list. Did you mean bind-users at isc?
On Thu, May 05, 2011 at 12:25:27PM -0700, dchilton+bind at bestmail.us
wrote:
> after signing my zones with 'dnssec-signzone', i 've got both
>
> dsset-domain.com
> dlvset-domain.com
>
> containing DS- and DLV-records, respectively.
>
> i know i *can* submit the records to my registrar (DS records)
> and dlv.isc.org (DLV records), but should I do both?
>
> i'm not clear if these are redundant mechs for getting to a
> 'valid' DNSSEC state, or complementary.
>
> can anyone clarify -- both or just one? and if just one, which
> one?
[I hope someone will correct me if I'm wrong.]
My understanding: if the parent is signed, that is the only way a
child zone can be validated, unless of course using trusted-keys.
DLV is only done when the parent is unsigned.
Off to the registrar you go!
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
More information about the dhcp-users
mailing list