DNSSEC enabling second level domains

Dave Clark bind-users at dollardns.net
Mon Jul 25 17:07:50 UTC 2005


I just wanted to confirm something.  I read this in the BIND 9.3.1 manual:

"There must also be communication with the administrators of the parent
and/or child zone to transmit keys. A zone's security status must be
indicated by the parent zone for a DNSSEC capable resolver to trust its
data. This is done through the presense or absence of a DS record at the
delegation point."

Does this mean that that domains like 'dollardns.net' cannot be DNSSEC
secured unless the GTLD servers have a DS record for my domain?  It would
seem to be kind of a hastle to have to individually secure subzones like
www.dollardns.net and mail.dollardns.net etc - and I haven't heard of any
processes by which you can add DS records to TLD name servers.  Is securing
second level domains feasible?

Dave



More information about the bind-users mailing list