DNSSEC enabling second level domains
Brett Carr
brettcarr at ripe.net
Mon Jul 25 20:37:49 UTC 2005
On Mon, 25 Jul 2005, Dave Clark wrote:
> I just wanted to confirm something. I read this in the BIND 9.3.1 manual:
>
> "There must also be communication with the administrators of the parent
> and/or child zone to transmit keys. A zone's security status must be
> indicated by the parent zone for a DNSSEC capable resolver to trust its
> data. This is done through the presense or absence of a DS record at the
> delegation point."
>
> Does this mean that that domains like 'dollardns.net' cannot be DNSSEC
> secured unless the GTLD servers have a DS record for my domain? It would
> seem to be kind of a hastle to have to individually secure subzones like
> www.dollardns.net and mail.dollardns.net etc - and I haven't heard of any
> processes by which you can add DS records to TLD name servers. Is securing
> second level domains feasible?
You can secure second level domains but in order for this to work you need
to publish the key somewhere and people must add it to caching
nameservers/resolvers in a "trusted-keys" statement.
Obviously this is not really scalable long term
and for DNSSEC to be deployed in a wide scale it needs some support high
up. If you are interested in DNSSEC deployment keep an eye on www.ripe.net
we are working on the roll out of some signed zones at the moment and will
be signing some /8 reverses at some point in the not too distant future.
Brett
--
Brett Carr Ripe Network Coordination Centre
System Engineer -- Operations Group Singel 258 Amsterdam NL
GPG Key fingerprint = F20D B2A7 C91D E370 44CF F244 B6A1 EF48 E743 F7D8
More information about the bind-users
mailing list