DNSSEC submit of DLV vs DNSKEY records?

Torinthiel torinthiel at data.pl
Thu May 5 21:40:27 UTC 2011


On 05/05/11 22:47, dchilton+bind at bestmail.us wrote:
> "missed it by THAT much ...".  thx! relocating to bind-users.
> 
> On Thu, 05 May 2011 14:37 -0500, "/dev/rob0" <rob0 at gmx.co.uk> wrote:
>> FWIW I think you hit the wrong list. Did you mean bind-users at isc?
> 
> 
>> On Thu, May 05, 2011 at 12:25:27PM -0700, dchilton+bind at bestmail.us 
>>    wrote:
>>> after signing my zones with 'dnssec-signzone', i 've got both 
>>>
>>>  dsset-domain.com
>>>  dlvset-domain.com
>>>
>>> containing DS- and DLV-records, respectively.
>>>
>>> i know i *can* submit the records to my registrar (DS records)
>>> and dlv.isc.org (DLV records), but should I do both?
>>>
>>> i'm not clear if these are redundant mechs for getting to a
>>> 'valid' DNSSEC state, or complementary.
>>>
>>> can anyone clarify -- both or just one? and if just one, which
>>> one?
>>
>> [I hope someone will correct me if I'm wrong.]
>>
>> My understanding: if the parent is signed, that is the only way a 
>> child zone can be validated, unless of course using trusted-keys. 
>> DLV is only done when the parent is unsigned.

DLV can be done anyway, but having a signed parent is better.

Consider this situation: you have signed parent, but not a chain to root
(i.e. an island of trust). This makes your zone unvalidabe to anyone
that doesn't trust that island. now, if you have a DLV record, than
anyone trusting it can also validate your zone. If, OTOH, one trusts
parent, then why should he bother checking DLV?

Having a signed parent won't stop anyone from lookng at DLV (signed !=
trusted).

Anyway, .com is now signed and if you can put DS in .com than putting it
in DLV as well is overkill.
Torinthiel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110505/e039deb6/attachment.bin>


More information about the bind-users mailing list