Validating a DNSSEC installation
Chris Thompson
cet1 at cam.ac.uk
Tue Jun 16 11:08:01 UTC 2009
On Jun 15 2009, Chris Buxton wrote:
>On Jun 13, 2009, at 4:59 AM, Erik Lotspeich wrote:
>> Is it normal that a validating resolver can't validate a domain it is
>> authoritative for?
>
>Absolutely. As Alan Clegg wrote not long ago on this list,
You presumably refer to
https://lists.isc.org/pipermail/bind-users/2009-January/074760.html
which I *suppose* counts as "not long ago" ... :-)
> this is why
>a DNSSEC validating resolver should not be authoritative for any
>signed zones.
This seems too strong to me, There are lots of good reasons why one may
want a resolver to stealth slave local (possibly signed) zones, and thus
be "authoritative" for them. However, it is certainly the case that because
no other validation is performed on these zones, they should be fetched
by secure means, e.g. TSIG-signed transfers from trusted master servers.
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list