DNSSEC enabling second level domains
Paul Vixie
vixie at sa.vix.com
Wed Jul 27 20:58:10 UTC 2005
"Dave Clark" <bind-users at dollardns.net> writes:
> ...
> Does this mean that that domains like 'dollardns.net' cannot be DNSSEC
> secured unless the GTLD servers have a DS record for my domain?
unless you can get entire the population of validators, or the subset of
validators who you need to be able to verify your answers, to cut and paste
your key into their named.conf files... yes.
or you could try DLV, which will be in BIND 9.4.0. to wit:
---
IEICE Transactions on Communications 2005 E88-B(4):1326-1330;
doi:10.1093/ietcom/e88-b.4.1326
Copyright © 2005 The Institute of Electronics, Information and
Communication Engineers
Special Section on Internet Technology V -- Papers
Preventing Child Neglect in DNSSECbis Using Lookaside Validation (DLV)*
Paul VIXIE (1)
1 The author is with Internet Systems Consortium, Redwood City, CA
94063-3110, USA. E-mail: vixie at isc.org
The DNSSECbis data model has key introduction follow the delegation
chain, thus requiring a zone's parent to become secure before a zone
itself can be secured. Ultimately this leads to non-deployability since
the root zone will probably not be secured any time soon. We describe
an early deployment aid for DNSSECbis whereby key introduction can be
done via cooperating third parties.
Key Words: DNS, domain name system, DNS security, DNSSEC, secure DNS,
Internet
Manuscript received October 5, 2004.
* This work was supported by Keio University.
---
> It would seem to be kind of a hastle to have to individually secure
> subzones like www.dollardns.net and mail.dollardns.net etc - and I
> haven't heard of any processes by which you can add DS records to TLD
> name servers. Is securing second level domains feasible?
until the root zone is secured, no TLD will have a way to publish a DS.
until your TLD is secured, there is no way for an SLD to publish a DS.
workarounds exist, such as full-mesh cut&paste, or DLV.
--
Paul Vixie
More information about the bind-users
mailing list