DNSSEC enabling second level domains

Paul Vixie vixie at sa.vix.com
Wed Jul 27 20:58:10 UTC 2005


"Dave Clark" <bind-users at dollardns.net> writes:

> ...
> Does this mean that that domains like 'dollardns.net' cannot be DNSSEC
> secured unless the GTLD servers have a DS record for my domain?

unless you can get entire the population of validators, or the subset of
validators who you need to be able to verify your answers, to cut and paste
your key into their named.conf files... yes.

or you could try DLV, which will be in BIND 9.4.0.  to wit:

---

IEICE Transactions on Communications 2005 E88-B(4):1326-1330;
doi:10.1093/ietcom/e88-b.4.1326 

Copyright © 2005 The Institute of Electronics, Information and
Communication Engineers 

Special Section on Internet Technology V -- Papers

Preventing Child Neglect in DNSSECbis Using Lookaside Validation (DLV)* 

Paul VIXIE (1)

 1 The author is with Internet Systems Consortium, Redwood City, CA
 94063-3110, USA. E-mail: vixie at isc.org 

 The DNSSECbis data model has key introduction follow the delegation
 chain, thus requiring a zone's parent to become secure before a zone
 itself can be secured. Ultimately this leads to non-deployability since
 the root zone will probably not be secured any time soon. We describe
 an early deployment aid for DNSSECbis whereby key introduction can be
 done via cooperating third parties. 

 Key Words: DNS, domain name system, DNS security, DNSSEC, secure DNS,
 Internet

 Manuscript received October 5, 2004.  
 
 * This work was supported by Keio University.

---

> It would seem to be kind of a hastle to have to individually secure
> subzones like www.dollardns.net and mail.dollardns.net etc - and I
> haven't heard of any processes by which you can add DS records to TLD
> name servers.  Is securing second level domains feasible?

until the root zone is secured, no TLD will have a way to publish a DS.
until your TLD is secured, there is no way for an SLD to publish a DS.
workarounds exist, such as full-mesh cut&paste, or DLV.
-- 
Paul Vixie



More information about the bind-users mailing list