dnssec subzone not signed question

Alan Clegg aclegg at isc.org
Thu Dec 23 02:02:02 UTC 2010

On 12/22/2010 6:49 PM, jim wrote:

> Sorry, still needing spoon fed.

No problem.  You might be interested in a presentation that I gave at
NANOG earlier in the year:


> When you say DS record in the parent, would this be .example.edu
> <http://example.edu> or my parent .edu
> The end result is get example.edu <http://example.edu> as a dnssec
> secured zone by getting a DS record in .edu
> So it sounds like when I do upload the example.edu <http://example.edu>
> DS record to .edu, my  subdomain.example.edu
> <http://subdomain.example.edu> will break, I will need to sign every
> zone inside example.edu <http://example.edu>?

Consider that right now, the root (.) is signed. There is a DS record in
(.) for edu, but there is not a DS record in edu for example.edu.  You
don't have example.edu signed yet, but it continues to work.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20101222/3257f6db/attachment.bin>

More information about the bind-users mailing list