DNSSEC validation works with DLV, but not with just trusted-key

Alan Clegg aclegg at isc.org
Wed Nov 25 15:54:08 UTC 2009

Hanno Böck wrote:
> Am Mittwoch 25 November 2009 schrieb Alan Clegg:
>> There is no DS record for dnssec-tools.org in .org (chain of trust is
>> broken), so you can't validate the response -- thus the data being
>> passed back to you.
> Ok, that explains it.
> Are there any example domains with known-broken dnssec records with a full 
> trust chain?

I've been meaning to set some up, but at this moment, I'm not aware of any.

Setting up your trust-anchor with the DNSKEY from dnssec-tools.org would 
be only one level worse than using the DNSKEY from .org

Setting up validator using the key from dnssec-tools.org should be able 
to prove your point...


More information about the bind-users mailing list