how to proper include DS record on key dnssec

Marc Lampo marc.lampo at
Fri Jan 14 08:59:27 UTC 2011


> DNSKEY goes to
> DS goes to .eu, and I don't have any idea if registrars already permit
The .eu zone will accept the DS information (that is : registrar should
inform us of the ksk or ksk's (plural))
Our system performs extra checks on DNSSEC information,
 trying to make sure that the introduction of DS information
 does not result in a broken chain-of-trust !

> DLV goes to or any other dlv repository you want.
Is this still necessary ?  Using DLV if the top-level-domain has full
chain-of-trust ?
> That's three different zones, and three different signers.

One observation though :
All auth NS's have serial : 2011011301,
but and (unofficial auth NS) have no RRSIG
information !
 (you might check if the DNS software on those name servers is capable
of/configured for DNSSEC !)

(if you are working with the registrar,
 You can also consult help pages on website, accessible to
registrars only)

Kind regards,

Marc Lampo
Security Officer
    Woluwelaan 150    
    1831 Diegem - Belgium
    TEL.: +32 (0) 2 401 3030
    MOB.:+32 (0)476 984 391
    marc.lampo at

Want a .eu web address in your own language? Find out how so you don’t
miss out!

More information about the bind-users mailing list