DNSSEC submit of DLV vs DNSKEY records?
Torinthiel
torinthiel at data.pl
Thu May 5 21:40:27 UTC 2011
On 05/05/11 22:47, dchilton+bind at bestmail.us wrote:
> "missed it by THAT much ...". thx! relocating to bind-users.
>
> On Thu, 05 May 2011 14:37 -0500, "/dev/rob0" <rob0 at gmx.co.uk> wrote:
>> FWIW I think you hit the wrong list. Did you mean bind-users at isc?
>
>
>> On Thu, May 05, 2011 at 12:25:27PM -0700, dchilton+bind at bestmail.us
>> wrote:
>>> after signing my zones with 'dnssec-signzone', i 've got both
>>>
>>> dsset-domain.com
>>> dlvset-domain.com
>>>
>>> containing DS- and DLV-records, respectively.
>>>
>>> i know i *can* submit the records to my registrar (DS records)
>>> and dlv.isc.org (DLV records), but should I do both?
>>>
>>> i'm not clear if these are redundant mechs for getting to a
>>> 'valid' DNSSEC state, or complementary.
>>>
>>> can anyone clarify -- both or just one? and if just one, which
>>> one?
>>
>> [I hope someone will correct me if I'm wrong.]
>>
>> My understanding: if the parent is signed, that is the only way a
>> child zone can be validated, unless of course using trusted-keys.
>> DLV is only done when the parent is unsigned.
DLV can be done anyway, but having a signed parent is better.
Consider this situation: you have signed parent, but not a chain to root
(i.e. an island of trust). This makes your zone unvalidabe to anyone
that doesn't trust that island. now, if you have a DLV record, than
anyone trusting it can also validate your zone. If, OTOH, one trusts
parent, then why should he bother checking DLV?
Having a signed parent won't stop anyone from lookng at DLV (signed !=
trusted).
Anyway, .com is now signed and if you can put DS in .com than putting it
in DLV as well is overkill.
Torinthiel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110505/e039deb6/attachment.bin>
More information about the bind-users
mailing list