Signed root - missing RRSIG for delegation?
Alan Clegg
aclegg at isc.org
Fri Jul 16 10:39:21 UTC 2010
On 7/16/2010 6:36 AM, Alan Clegg wrote:
> On 7/16/2010 6:25 AM, Niobos wrote:
>
>> It's probably just my lack of knowledge, but there seems to be a missing
>> RRSIG in the root zone.
>>
>> I try to securely resolve example.net. I obviously get a delegation
>> returned (dig output below), but I can't seem to validate that
>> delegation. The delegation itself (and a direct request for net./NS)
>> only yield an RRSIG over the NSEC RRset, not over the NS RRset and not
>> over the glue A-records (which are in bailiwick, and I have "no other
>> way" to resolve them)
>>
>> Can anyone clarify?
>
> .net isn't signed, and you don't sign "out-of-zone" data (glue and
> delegation NS records).
>
> What do you mean 'I have "no other way" to resolve them' -- yes, they
> are signed, but they seem to resolve just fine.
And, to clarify, "they are not signed"... (it's been a long week, folks).
AlanC
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100716/368a365d/attachment.bin>
More information about the bind-users
mailing list