how to proper include DS record on key dnssec

Marc Lampo marc.lampo at eurid.eu
Fri Jan 14 08:59:27 UTC 2011


...

> DNSKEY goes to fakessh.eu
> DS goes to .eu, and I don't have any idea if registrars already permit
it
The .eu zone will accept the DS information (that is : registrar should
inform us of the ksk or ksk's (plural))
Our system performs extra checks on DNSSEC information,
 trying to make sure that the introduction of DS information
 does not result in a broken chain-of-trust !

> DLV goes to dlv.isc.net or any other dlv repository you want.
Is this still necessary ?  Using DLV if the top-level-domain has full
chain-of-trust ?
>
> That's three different zones, and three different signers.

One observation though :
All auth NS's have serial : 2011011301,
but ns0.xname.org. and ns2.xname.org. (unofficial auth NS) have no RRSIG
information !
 (you might check if the DNS software on those name servers is capable
of/configured for DNSSEC !)


(if you are working with the registrar,
 You can also consult help pages on EURid.eu website, accessible to
registrars only)


Kind regards,



Marc Lampo
Security Officer
 
    EURid
    Woluwelaan 150    
    1831 Diegem - Belgium
    TEL.: +32 (0) 2 401 3030
    MOB.:+32 (0)476 984 391
    marc.lampo at eurid.eu
    http://www.eurid.eu
   


Want a .eu web address in your own language? Find out how so you don’t
miss out!




More information about the bind-users mailing list