dnssec dlv

Mark Andrews marka at isc.org
Sat May 22 00:21:04 UTC 2010

In message <AANLkTik1Cd0xkeAruE2brDkxPNb6CVyZ4zN-qvuv9DPj at mail.gmail.com>, itse
rvices88 writes:
> I heard that root zone will be signed (or is already signed), so what
> changes would be required with respect to the current additions of adding
> dlv.isc.org as trust anchor and its associated trusted key ? Do we need to
> keep the isc dlv ? or add a new key for the root ?
> Thanks
> -dani

When the signed root goes operational you should add a managed
trusted key for it as I believe that the root will be following the
rules in RFC 5011.  Managed trusted keys were introduced in BIND
9.7.0.  You will still need to use DLV for the parts of the tree
which are not connected to the root.  The root's trust anchors will
be added to DLV so there is no need to rush to do this.  As far as
DLV is concerned the root is just another zone.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list